GeoIP is super helpful if you have troubles with a lot of nasty requests from some nasty countries :). Or, sometimes, you just want to lock some website or part of it ( administration ), so that it is accessible only from your country.
Things are a little different when you are using Directadmin control panel. I had this Directadmin with NGINX reverse proxy, so all NGINX is first point for requests made on your websites. Besides SSL offloading, you can also do filtering, country blocking … before request ends on backend ( Apache ).
So, here is how you can build GeoIP2 extension into your NGINX on Directadmin. I my case, I have Nginx as reverse proxy with Apache.
Check which NGINX version is installed on your server
[root@da nginx]# nginx -v nginx version: nginx/1.23.1
Install necessary packages – libmaxminddb, libmaxminddb-devel, geoipupdate.
Download NGINX source from their website. You can find it HERE. In my case, this is version 1.23.1.
[root@da ~]# wget https://nginx.org/download/nginx-1.23.1.tar.gz ... 2023-02-17 10:38:51 (12.9 MB/s) - ‘nginx-1.23.1.tar.gz’ saved [1104352/1104352]
You will need geouip2 extension source, which can be found HERE. The simplest way is to git clone.
[root@da ~]# git clone https://github.com/leev/ngx_http_geoip2_module.git Cloning into 'ngx_http_geoip2_module'... remote: Enumerating objects: 225, done. remote: Counting objects: 100% (18/18), done. remote: Compressing objects: 100% (17/17), done. remote: Total 225 (delta 7), reused 4 (delta 1), pack-reused 207 Receiving objects: 100% (225/225), 557.06 KiB | 2.20 MiB/s, done. Resolving deltas: 100% (86/86), done.
Now you can build geoip2 extension
# Untar nginx archive [root@da ~]# tar -xvzf nginx-1.23.1.tar.gz nginx-1.23.1/ nginx-1.23.1/auto/ ... # Go into nginx source directory [root@da ~]# cd nginx-1.23.1 # Run configure [root@da nginx-1.23.1]# ./configure --add-dynamic-module="../ngx_http_geoip2_module" --with-compat checking for OS + Linux 4.18.0-240.15.1.el8_3.x86_64 x86_64 checking for C compiler ... found + using GNU C compiler ... # If everything goes well with configure, build module [root@da nginx-1.23.1]# make modules make -f objs/Makefile modules make[1]: Entering directory '/root/nginx-1.23.1' ...
Because it is Directadmin, you’ll have to rebuild it with geoip2 module. You should do that with custombuild.
[root@da ~]# cd /usr/local/directadmin/custombuild [root@da custombuild]# mkdir -p custom/nginx_reverse [root@da custombuild]# cp -p configure/nginx_reverse/configure.nginx custom/nginx_reverse/configure.nginx # Add this line to your custom configure.nginx "--add-module=/root/ngx_http_geoip2_module" \ # Check if Directadmin will use your custom configuration [root@da custombuild]# ./build used_configs ... Nginx (reverse proxy) configuration file: /usr/local/directadmin/custombuild/custom/nginx_reverse/configure.nginx ... # Then rebuild NGINX [root@da custombuild]# ./build nginx Found /usr/local/directadmin/custombuild/nginx-1.23.1.tar.gz Extracting /usr/local/directadmin/custombuild/nginx-1.23.1.tar.gz... Configuring nginx-1.23.1 ...
If everything went well, you should see ngx_http_geoip2_module built in NGINX. You can check it like this:
[root@da custombuild]# nginx -V nginx version: nginx/1.23.1 built by gcc 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC) built with OpenSSL 1.1.1g FIPS 21 Apr 2020 TLS SNI support enabled configure arguments: --user=nginx --group=nginx --prefix=/usr --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --http-log-path=/var/log/nginx/access_log --error-log-path=/var/log/nginx/error_log --without-mail_imap_module --without-mail_smtp_module --with-http_ssl_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-http_dav_module --with-http_v2_module --add-module=../ngx_cache_purge --add-module=/root/ngx_http_geoip2_module --with-cc-opt=''-D FD_SETSIZE=32768'
Part one is done, now you have NGINX with geoip2 support. Now, you should install GeoIP maps and create some custom configuration in your NGINX.
First, install GeoIP maps. You can do that with geoipupdate. Just run it.
[root@da ~]# geoipupdate
Now edit GeoIP configuration and paste lines below. Of course, you must change UserID and LicenseKey with your own. You can get them HERE. You’ll have to register first.
[root@da ~]# vi /etc/GeoIP.conf # GeoIP.conf file for `geoipupdate` program, for versions < 3.1.1. # Used to update GeoIP databases from https://www.maxmind.com. # For more information about this config file, visit the docs at # https://dev.maxmind.com/geoip/updating-databases?lang=en. # `UserId` is from your MaxMind account. UserId 111111 # `LicenseKey` is from your MaxMind account LicenseKey thisI5M1Key # `ProductIds` is from your MaxMind account. ProductIds GeoLite2-ASN GeoLite2-City GeoLite2-Country
It’s time to create custom NGINX configuration. Go into /etc/nginx
[root@da ~]# cd /etc/nginx/ # Add custom path to your geoip2 configuration in includes root@da nginx]# vi nginx-includes.conf # Add this line: include /etc/nginx/nginx.geoip2.conf; # Create nginx.geoip2.conf and add configuration below. Of course, you can create maps to your own needs. In my case, I created map, so that only my country is able to access. [root@da nginx]# vi nginx.geoip2.conf geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb { auto_reload 60m; $geoip2_metadata_country_build metadata build_epoch; $geoip2_data_country_code country iso_code; $geoip2_data_country_name country names en; } geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb { auto_reload 60m; $geoip2_metadata_city_build metadata build_epoch; $geoip2_data_city_name city names en; } map $geoip2_data_country_code $allow_slovenia { default no; SI yes; }
Restart NGINX.
Now, you are finish and can make country blocks inside your Directadmins Server Manager -> Custom HTTPD Configurations. You click on nginx.conf proxy on the website that you wish to edit. Click CUSTOMIZE. You should select CUSTOM2 tab and add your configuration. For example:
if ($allow_slovenia = no) { return 403; }
This is it. If I try to access this site from some other country, it should get 403:
[root@server ~]# curl -I https://mywebsite.com/ HTTP/2 403 server: nginx
This is a great way to limit access for administrations. For example, if this was WordPress, you could create a custom location so that you would limit only access to wp-admin …
Problem with this setup is, that when new versions of NGINX will be available on custombuild, you may get error when try to update because ngx_http_geoip2_module will not be compatible with new nginx version. In this case, you’ll have to check which nginx version would custombuild install. Then download new nginx source as in this tutorial, and build new ngx_http_geoip2_module module. But you’ll get through it, I know you will 😉