I used GeoIP library with Nginx for quite some time, but it came to EOL. GeoIP2 is now avalible. It is great tool for blocking unwanted traffic from your webserver. This was done on Centos 7. If you don’t want to pay for getpagespeed’s payed version, than you must build this module from source.
First, you’ll need to know your curent NGINX version
[root@myserver ~]# nginx -v
nginx version: nginx/1.16.1
Then, download exact same version of NGINX from this site and unpack it. In my case:
[root@myserver ~]# wget http://nginx.org/download/nginx-1.16.1.tar.gz
[root@myserver ~]# tar -xvzf nginx-1.16.1.tar.gz
[root@myserver ~]# cd nginx-1.16.1.tar.gz
Then you should download ngx_http_geoip2_module – geoip2 module for NGINX:
[root@myserver ~]# wget https://github.com/leev/ngx_http_geoip2_module/archive/master.zip
[root@myserver ~]# unzip master.zip
You should install GCC and Development Tools for dependencies.
[root@myserver ~]# yum groupinstall ‘Development Tools’
[root@myserver ~]# yum install gcc
If you don’t want to get this error: module “/etc/nginx/modules/ngx_http_geoip2_module.so” is not binary compatible in /etc/nginx/nginx.conf, then you should build NGINX from source with the same flags that curnet NGINX installation was build.
To get all configure elements of curent NGINX installation, type this command:
[root@myserver ~]# nginx -V
Then go to your donwloaded NGINX source, in this example – nginx-1.16.1 and build it with ngx_http_geoip2_module. Also add “–with-compat” at the end. If configure is sucessfful, make modules.
[root@myserver ~]# cd nginx-1.16.1
[root@myserver nginx-1.16.1]# ./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --modules-path=/usr/local/nginx/modules --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/usr/local/nginx/logs/error.log --add-dynamic-module=../ngx_http_geoip2_module --http-log-path=/var/log/nginx/access.log --add-dynamic-module=../ngx_http_geoip2_module ... --with-compat
[root@myserver ~]# make modules
If everything went well, your geoip2 module should be inside objs directory. Copy ngx_http_geoip2_module.so to your NGINX modules path.
[root@myserver nginx-1.16.1]# cd objs/
[root@myserver objs]# cp ngx_http_geoip2_module.so /usr/lib64/nginx/modules/
Then include module inside NGINX configuration. Add sting bellow to your nginx configuration in /etc/nginx/nginx.conf – http section:
load_module modules/ngx_http_geoip2_module.so;
You can then donwload GeoLite2-Country and GeoLite2-City databases and include them in your NGINX http section like so:
geoip2 /usr/share/GeoIP2/GeoLite2-Country.mmdb {
auto_reload 60m;
$geoip2_metadata_country_build metadata build_epoch;
$geoip2_data_country_code country iso_code;
$geoip2_data_country_name country names en;
}
geoip2 /usr/share/GeoIP2/GeoLite2-City.mmdb {
auto_reload 60m;
$geoip2_metadata_city_build metadata build_epoch;
$geoip2_data_city_name city names en;
}
Create simple map. In this case all countrys are allowed except the ones defined with no:
map $geoip2_data_country_code $allowed_country {
default yes;
CN no;
}
Then if you want to block specific country, add this to your virtualhost:
if ($allowed_country = no) {
return 403;
}
Simple test:
> $ curl -I https://mysite.org
HTTP/2 403
nginx: [emerg] module “/usr/share/nginx/modules/ngx_http_geoip2_module.so” is not binary compatible in /etc/nginx/nginx.conf:5
after checking on the pervious issue i tried to compile with the flag (nginx -V)
nginx -V
nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: –with-cc-opt=’-g -O2 -fdebug-prefix-map=/build/nginx-GkiujU/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2′ –with-ld-opt=’-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC’ –prefix=/usr/share/nginx –conf-path=/etc/nginx/nginx.conf –http-log-path=/var/log/nginx/access.log –error-log-path=/var/log/nginx/error.log –lock-path=/var/lock/nginx.lock –pid-path=/run/nginx.pid –modules-path=/usr/lib/nginx/modules –http-client-body-temp-path=/var/lib/nginx/body –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –http-proxy-temp-path=/var/lib/nginx/proxy –http-scgi-temp-path=/var/lib/nginx/scgi –http-uwsgi-temp-path=/var/lib/nginx/uwsgi –with-debug –with-pcre-jit –with-http_ssl_module –with-http_stub_status_module –with-http_realip_module –with-http_auth_request_module –with-http_v2_module –with-http_dav_module –with-http_slice_module –with-threads –with-http_addition_module –with-http_geoip_module=dynamic –with-http_gunzip_module –with-http_gzip_static_module –with-http_image_filter_module=dynamic –with-http_sub_module –with-http_xslt_module=dynamic –with-stream=dynamic –with-stream_ssl_module –with-stream_ssl_preread_module –with-mail=dynamic –with-mail_ssl_module –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-auth-pam –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-dav-ext –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-echo –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-upstream-fair –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-subs-filter
and i compiled like this
./configure –with-cc-opt=’-g -O2 -fdebug-prefix-map=/build/nginx-GkiujU/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2′ –with-ld-opt=’-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC’ –prefix=/usr/share/nginx –conf-path=/etc/nginx/nginx.conf –http-log-path=/var/log/nginx/access.log –error-log-path=/var/log/nginx/error.log –lock-path=/var/lock/nginx.lock –pid-path=/run/nginx.pid –modules-path=/usr/lib/nginx/modules –http-client-body-temp-path=/var/lib/nginx/body –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –http-proxy-temp-path=/var/lib/nginx/proxy –http-scgi-temp-path=/var/lib/nginx/scgi –http-uwsgi-temp-path=/var/lib/nginx/uwsgi –with-debug –with-pcre-jit –with-http_ssl_module –with-http_stub_status_module –with-http_realip_module –with-http_auth_request_module –with-http_v2_module –with-http_dav_module –with-http_slice_module –with-threads –with-http_addition_module –with-http_geoip_module=dynamic –with-http_gunzip_module –with-http_gzip_static_module –with-http_image_filter_module=dynamic –with-http_sub_module –with-http_xslt_module=dynamic –with-stream=dynamic –with-stream_ssl_module –with-stream_ssl_preread_module –with-mail=dynamic –with-mail_ssl_module –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-auth-pam –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-dav-ext –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-echo –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-upstream-fair –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-subs-filter –add-dynamic-module=../ngx_http_geoip2_module –with-compat
But after that when tried to make it is giving me below error
make modules
make: *** No rule to make target ‘modules’. Stop.
Please help to resolve this issue