move nginx geoip blocking to GeoIP database version 2, simplyfing geoip installation

2026-03-26 19:27:23 +01:00 · 2023-03-10 21:33:08 +01:00
parent 4e4055b956
commit 87d871a480
6 changed files with 31 additions and 71 deletions
--- a/conf/cron/update_geoipdb
+++ b/conf/cron/update_geoipdb
@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# update geoip database cron weekly
+
+if [[ ! -d /usr/share/GeoIP || ! -f /usr/share/GeoIP/GeoLite2-Country.mmdb || $(find "/usr/share/GeoIP/GeoLite2-Country.mmdb" -mtime +60 -print) ]]; then
+  goiplookup db-update
+fi
--- a/conf/fail2ban/filter.d/nginx-geoipblock.conf
+++ b/conf/fail2ban/filter.d/nginx-geoipblock.conf
@@ -8,5 +8,5 @@ before = common.conf

 _daemon = mailinabox

-failregex = .* - Geoip blocked <HOST>
+failregex = .* - Geoip blocked <HOST> .*
 ignoreregex =
--- a/conf/nginx-primaryonly.conf
+++ b/conf/nginx-primaryonly.conf
@@ -30,13 +30,17 @@
                        access_log /var/log/nginx/geoipblock.log geoipblock;
                        return 444;
                }
+# Uncomment to test allowed countries
+#                if ($block_test = 1) {
+#                        access_log /var/log/nginx/geoipblock.log geoippassed;
+#                }

 		proxy_pass http://127.0.0.1:10222/;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		add_header X-Frame-Options "DENY";
 		add_header X-Content-Type-Options nosniff;
 		add_header Content-Security-Policy "frame-ancestors 'none';";
-	    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 		add_header Referrer-Policy "strict-origin";
 	}

--- a/conf/nginx/conf.d/10-geoblock.conf
+++ b/conf/nginx/conf.d/10-geoblock.conf
@@ -1,22 +1,26 @@
 # GeoIP databases
-geoip_country /usr/share/GeoIP/GeoIP.dat;
-geoip_city /usr/share/GeoIP/GeoIPCity.dat;
+geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb
+   {
+        $geoip_country_code_x country iso_code;
+        $geoip_continent_code_x continent code;
+   }

 # map the list of denied countries
 # see e.g. https://dev.maxmind.com/geoip/legacy/codes/iso3166/ for allowable
 # countries
-map $geoip_country_code $denied_country {
-   default yes;
+map $geoip_country_code_x $denied_country {
+   default yes;   # Add denied countries with no
   }

 # map the list of allowed countries
-map $geoip_country_code $allowed_country {
-   default no;
+map $geoip_country_code_x $allowed_country {
+   default no;    # Add allowed countries with yes
   }

 # map the continents to allow
-map $geoip_city_continent_code $allowed_continent {
-   default yes;
+map $geoip_city_continent_code_x $allowed_continent {
+   default yes;   # Add allowed continents with yes.
   }

-log_format geoipblock '[$time_local] - Geoip blocked $remote_addr';
+log_format geoipblock '[$time_local] - Geoip blocked $remote_addr - $geoip_country_code_x';
+log_format geoipaccept '[$time_local] - Geoip accepted $remote_addr - $geoip_country_code_x';