From 87d871a4807831de21f93691676dd79cc85565a4 Mon Sep 17 00:00:00 2001
From: KiekerJan <kiekerjan@users.noreply.github.com>
Date: Fri, 10 Mar 2023 21:33:08 +0100
Subject: [PATCH] move nginx geoip blocking to GeoIP database version 2,
 simplyfing geoip installation

---
 conf/cron/update_geoipdb                     |  7 +++
 conf/fail2ban/filter.d/nginx-geoipblock.conf |  2 +-
 conf/nginx-primaryonly.conf                  |  6 +-
 conf/nginx/conf.d/10-geoblock.conf           | 22 ++++---
 setup/geoiptoolssetup.sh                     | 63 ++------------------
 setup/web.sh                                 |  2 +-
 6 files changed, 31 insertions(+), 71 deletions(-)
 create mode 100644 conf/cron/update_geoipdb

diff --git a/conf/cron/update_geoipdb b/conf/cron/update_geoipdb
new file mode 100644
index 00000000..959ace9e
--- /dev/null
+++ b/conf/cron/update_geoipdb
@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# update geoip database cron weekly
+
+if [[ ! -d /usr/share/GeoIP || ! -f /usr/share/GeoIP/GeoLite2-Country.mmdb || $(find "/usr/share/GeoIP/GeoLite2-Country.mmdb" -mtime +60 -print) ]]; then
+  goiplookup db-update
+fi
diff --git a/conf/fail2ban/filter.d/nginx-geoipblock.conf b/conf/fail2ban/filter.d/nginx-geoipblock.conf
index 11dccbcc..cd4ff7f7 100644
--- a/conf/fail2ban/filter.d/nginx-geoipblock.conf
+++ b/conf/fail2ban/filter.d/nginx-geoipblock.conf
@@ -8,5 +8,5 @@ before = common.conf
 
 _daemon = mailinabox
 
-failregex = .* - Geoip blocked <HOST>
+failregex = .* - Geoip blocked <HOST> .*
 ignoreregex =
diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf
index 915d45eb..47fd7bf4 100644
--- a/conf/nginx-primaryonly.conf
+++ b/conf/nginx-primaryonly.conf
@@ -30,13 +30,17 @@
                         access_log /var/log/nginx/geoipblock.log geoipblock;
                         return 444;
                 }
+# Uncomment to test allowed countries
+#                if ($block_test = 1) {
+#                        access_log /var/log/nginx/geoipblock.log geoippassed;
+#                }
 
 		proxy_pass http://127.0.0.1:10222/;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		add_header X-Frame-Options "DENY";
 		add_header X-Content-Type-Options nosniff;
 		add_header Content-Security-Policy "frame-ancestors 'none';";
-	    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 		add_header Referrer-Policy "strict-origin";
 	}
 
diff --git a/conf/nginx/conf.d/10-geoblock.conf b/conf/nginx/conf.d/10-geoblock.conf
index c977d366..aea40126 100644
--- a/conf/nginx/conf.d/10-geoblock.conf
+++ b/conf/nginx/conf.d/10-geoblock.conf
@@ -1,22 +1,26 @@
 # GeoIP databases
-geoip_country /usr/share/GeoIP/GeoIP.dat;
-geoip_city /usr/share/GeoIP/GeoIPCity.dat;
+geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb
+   {
+        $geoip_country_code_x country iso_code;
+        $geoip_continent_code_x continent code;
+   }
 
 # map the list of denied countries
 # see e.g. https://dev.maxmind.com/geoip/legacy/codes/iso3166/ for allowable
 # countries
-map $geoip_country_code $denied_country {
-   default yes;
+map $geoip_country_code_x $denied_country {
+   default yes;   # Add denied countries with no
    }
 
 # map the list of allowed countries
-map $geoip_country_code $allowed_country {
-   default no;
+map $geoip_country_code_x $allowed_country {
+   default no;    # Add allowed countries with yes
    }
 
 # map the continents to allow
-map $geoip_city_continent_code $allowed_continent {
-   default yes;
+map $geoip_city_continent_code_x $allowed_continent {
+   default yes;   # Add allowed continents with yes.
    }
 
-log_format geoipblock '[$time_local] - Geoip blocked $remote_addr';
+log_format geoipblock '[$time_local] - Geoip blocked $remote_addr - $geoip_country_code_x';
+log_format geoipaccept '[$time_local] - Geoip accepted $remote_addr - $geoip_country_code_x';
diff --git a/setup/geoiptoolssetup.sh b/setup/geoiptoolssetup.sh
index 83912d9d..ce7d6645 100644
--- a/setup/geoiptoolssetup.sh
+++ b/setup/geoiptoolssetup.sh
@@ -17,6 +17,10 @@ else
   echo skipping goiplookup database update
 fi
 
+# Install geoip update cron job
+cp -f conf/cron/update_geoipdb /etc/cron.weekly
+chmod +x /etc/cron.weekly/update_geoipdb
+
 # Install geo ip filter script
 cp -f setup/geoipfilter.sh /usr/local/bin/
 chmod +x /usr/local/bin/geoipfilter.sh
@@ -43,62 +47,3 @@ else
     sed -i '/sshd: /d' /etc/hosts.allow
     echo "sshd: ALL: aclexec /usr/local/bin/geoipfilter.sh %a %s" >> /etc/hosts.allow
 fi
-
-# geo ip filtering of nginx access log, based on 
-# https://guides.wp-bullet.com/blocking-country-and-continent-with-nginx-geoip-on-ubuntu-18-04/
-
-## Install geo ip lookup files
-
-# check that GeoIP.dat is older then 2 months, to not hit the server too often 
-if [[ ! -d /usr/share/GeoIP || ! -f /usr/share/GeoIP/GeoIP.dat || $(find "/usr/share/GeoIP/GeoIP.dat" -mtime +60 -print) ]]; then
-  echo updating GeoIP database
-  
-  # Move old file away if it exists
-  if [ -f "/usr/share/GeoIP/GeoIP.dat" ]; then
-    mv -f /usr/share/GeoIP/GeoIP.dat /usr/share/GeoIP/GeoIP.dat.bak
-  fi
-
-  hide_output wget -P /usr/share/GeoIP/ https://dl.miyuru.lk/geoip/maxmind/country/maxmind.dat.gz
-
-  if [ -f "/usr/share/GeoIP/maxmind.dat.gz" ]; then
-    gunzip -c /usr/share/GeoIP/maxmind.dat.gz > /usr/share/GeoIP/GeoIP.dat
-    rm -f /usr/share/GeoIP/maxmind.dat.gz
-  else
-    echo Did not correctly download maxmind geoip country database
-  fi
-
-  # If new file is not created, move the old file back
-  if [ ! -f "/usr/share/GeoIP/GeoIP.dat" ]; then
-    echo GeoIP.dat was not created
-    
-    if [ -f "/usr/share/GeoIP/GeoIP.dat.bak" ]; then
-        mv /usr/share/GeoIP/GeoIP.dat.bak /usr/share/GeoIP/GeoIP.dat
-    fi
-  fi
-
-  # Move old file away if it exists
-  if [ -f "/usr/share/GeoIP/GeoIPCity.dat" ]; then
-    mv -f /usr/share/GeoIP/GeoIPCity.dat /usr/share/GeoIP/GeoIPCity.dat.bak
-  fi
-
-  hide_output wget -P /usr/share/GeoIP/ https://dl.miyuru.lk/geoip/maxmind/city/maxmind.dat.gz
-
-  if [ -f "/usr/share/GeoIP/maxmind.dat.gz" ]; then
-    gunzip -c /usr/share/GeoIP/maxmind.dat.gz > /usr/share/GeoIP/GeoIPCity.dat
-    rm -f /usr/share/GeoIP/maxmind.dat.gz
-  else
-    echo Did not correctly download maxmind geoip city database
-  fi
-
-  # If new file is not created, move the old file back
-  if [ ! -f "/usr/share/GeoIP/GeoIPCity.dat" ]; then
-    echo GeoIPCity.dat was not created
-    
-    if [ -f "/usr/share/GeoIP/GeoIPCity.dat.bak" ]; then
-        mv /usr/share/GeoIP/GeoIPCity.dat.bak /usr/share/GeoIP/GeoIPCity.dat
-    fi
-  fi
-else
-  echo skipping GeoIP database update
-fi
-
diff --git a/setup/web.sh b/setup/web.sh
index 1f90d71d..0cf84860 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -19,7 +19,7 @@ fi
 
 echo "Installing Nginx (web server)..."
 
-apt_install nginx php-cli php-fpm idn2 libnginx-mod-http-geoip
+apt_install nginx php-cli php-fpm idn2 libnginx-mod-http-geoip2
 
 rm -f /etc/nginx/sites-enabled/default