Directadmin – build GeoIP2 in Directadmin’s NGINX and create country blocking for vhosts.

GeoIP is super helpful if you have troubles with a lot of nasty requests from some nasty countries :). Or, sometimes, you just want to lock some website or part of it ( administration ), so that it is accessible only from your country.

Things are a little different when you are using Directadmin control panel. I had this Directadmin with NGINX reverse proxy, so all NGINX is first point for requests made on your websites. Besides SSL offloading, you can also do filtering, country blocking … before request ends on backend ( Apache ).

So, here is how you can build GeoIP2 extension into your NGINX on Directadmin. I my case, I have Nginx as reverse proxy with Apache.

Check which NGINX version is installed on your server

[root@da nginx]# nginx -v
nginx version: nginx/1.23.1

Continue Reading

[SCRIPT] Install mod_security with OWASP ruleset and GeoIP2 NGINX modules with script.

Because I don’t own NGINX plus, I must build mod_security and geoip2 modules manually each time I set up a new server with NGINX. It’s good practice to have both installed, as it can increase security of your web application significantly. I was getting tired of building every time, so I created a script which will do that for you. This script is build for Rocky Linux 8, so it should work on CentOS 8 (Stream), AlmaLInux …

This script will auto-detect your NGINX version and will download source, build extensions and install ModSecurity also. It will also install necessary dependencies which are needed for install.  If you encounter errors, please check for errors on which library you need. It will also install OWASP ruleset for mod_security and configure your NGINX accordingly. Path to extensions will be inserted in your NGINX configuration by script.

You should install and configure geoipupdate and add geoip definitions in your nginx configuration.

I hope this helps you and saves you some time. Feel free to modify and customize the script according to your needs.

Here is the script: build nginx modules script

Country block/allow with iptables and ipset

Here is a simple way to restrict access to your server from country’s that you don’t want to be able to connect to your services. On website www.ipdeny.com you can find IP lists for specific country’s. With a simple script, you can regularly update those lists so that they are up-to-date with new addresses. In my case, I needed a way to allow some services only available from specific countries. You can also change logic a little bit and blocking only specific county. 

This will work on Linux server with installed iptables and ipset. Ipset will contain all addresses provided from ipdeny.com. 

First, if you don’t already have it, install ipset.

[root@server ~]# dnf install ipset

Then, you’ll need to create ipset array which will contain all addresses. 

ipset create allow_cc hash:net family inet hashsize 1024 maxelem 65536

Continue Reading

© 2024 geegkytuts.net
Hosted by SIEL


About author