move nginx geoip blocking to GeoIP database version 2, simplyfing geoip installation

conf/cron/update_geoipdb

@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# update geoip database cron weekly
+
+if [[ ! -d /usr/share/GeoIP || ! -f /usr/share/GeoIP/GeoLite2-Country.mmdb || $(find "/usr/share/GeoIP/GeoLite2-Country.mmdb" -mtime +60 -print) ]]; then
+  goiplookup db-update
+fi

conf/fail2ban/filter.d/nginx-geoipblock.conf

@@ -8,5 +8,5 @@ before = common.conf
 
 _daemon = mailinabox
 
-failregex = .* - Geoip blocked <HOST>
+failregex = .* - Geoip blocked <HOST> .*
 ignoreregex =

conf/nginx-primaryonly.conf

@@ -30,6 +30,10 @@
                         access_log /var/log/nginx/geoipblock.log geoipblock;
                         return 444;
                 }
+# Uncomment to test allowed countries
+#                if ($block_test = 1) {
+#                        access_log /var/log/nginx/geoipblock.log geoippassed;
+#                }
 
 		proxy_pass http://127.0.0.1:10222/;
 		proxy_set_header X-Forwarded-For $remote_addr;

conf/nginx/conf.d/10-geoblock.conf

@@ -1,22 +1,26 @@
 # GeoIP databases
-geoip_country /usr/share/GeoIP/GeoIP.dat;
-geoip_city /usr/share/GeoIP/GeoIPCity.dat;
+geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb
+   {
+        $geoip_country_code_x country iso_code;
+        $geoip_continent_code_x continent code;
+   }
 
 # map the list of denied countries
 # see e.g. https://dev.maxmind.com/geoip/legacy/codes/iso3166/ for allowable
 # countries
-map $geoip_country_code $denied_country {
-   default yes;
+map $geoip_country_code_x $denied_country {
+   default yes;   # Add denied countries with no
    }
 
 # map the list of allowed countries
-map $geoip_country_code $allowed_country {
-   default no;
+map $geoip_country_code_x $allowed_country {
+   default no;    # Add allowed countries with yes
    }
 
 # map the continents to allow
-map $geoip_city_continent_code $allowed_continent {
-   default yes;
+map $geoip_city_continent_code_x $allowed_continent {
+   default yes;   # Add allowed continents with yes.
    }
 
-log_format geoipblock '[$time_local] - Geoip blocked $remote_addr';
+log_format geoipblock '[$time_local] - Geoip blocked $remote_addr - $geoip_country_code_x';
+log_format geoipaccept '[$time_local] - Geoip accepted $remote_addr - $geoip_country_code_x';

setup/geoiptoolssetup.sh

@@ -17,6 +17,10 @@ else
   echo skipping goiplookup database update
 fi
 
+# Install geoip update cron job
+cp -f conf/cron/update_geoipdb /etc/cron.weekly
+chmod +x /etc/cron.weekly/update_geoipdb
+
 # Install geo ip filter script
 cp -f setup/geoipfilter.sh /usr/local/bin/
 chmod +x /usr/local/bin/geoipfilter.sh
@@ -43,62 +47,3 @@ else
     sed -i '/sshd: /d' /etc/hosts.allow
     echo "sshd: ALL: aclexec /usr/local/bin/geoipfilter.sh %a %s" >> /etc/hosts.allow
 fi
-
-# geo ip filtering of nginx access log, based on 
-# https://guides.wp-bullet.com/blocking-country-and-continent-with-nginx-geoip-on-ubuntu-18-04/
-
-## Install geo ip lookup files
-
-# check that GeoIP.dat is older then 2 months, to not hit the server too often 
-if [[ ! -d /usr/share/GeoIP || ! -f /usr/share/GeoIP/GeoIP.dat || $(find "/usr/share/GeoIP/GeoIP.dat" -mtime +60 -print) ]]; then
-  echo updating GeoIP database
-  
-  # Move old file away if it exists
-  if [ -f "/usr/share/GeoIP/GeoIP.dat" ]; then
-    mv -f /usr/share/GeoIP/GeoIP.dat /usr/share/GeoIP/GeoIP.dat.bak
-  fi
-
-  hide_output wget -P /usr/share/GeoIP/ https://dl.miyuru.lk/geoip/maxmind/country/maxmind.dat.gz
-
-  if [ -f "/usr/share/GeoIP/maxmind.dat.gz" ]; then
-    gunzip -c /usr/share/GeoIP/maxmind.dat.gz > /usr/share/GeoIP/GeoIP.dat
-    rm -f /usr/share/GeoIP/maxmind.dat.gz
-  else
-    echo Did not correctly download maxmind geoip country database
-  fi
-
-  # If new file is not created, move the old file back
-  if [ ! -f "/usr/share/GeoIP/GeoIP.dat" ]; then
-    echo GeoIP.dat was not created
-    
-    if [ -f "/usr/share/GeoIP/GeoIP.dat.bak" ]; then
-        mv /usr/share/GeoIP/GeoIP.dat.bak /usr/share/GeoIP/GeoIP.dat
-    fi
-  fi
-
-  # Move old file away if it exists
-  if [ -f "/usr/share/GeoIP/GeoIPCity.dat" ]; then
-    mv -f /usr/share/GeoIP/GeoIPCity.dat /usr/share/GeoIP/GeoIPCity.dat.bak
-  fi
-
-  hide_output wget -P /usr/share/GeoIP/ https://dl.miyuru.lk/geoip/maxmind/city/maxmind.dat.gz
-
-  if [ -f "/usr/share/GeoIP/maxmind.dat.gz" ]; then
-    gunzip -c /usr/share/GeoIP/maxmind.dat.gz > /usr/share/GeoIP/GeoIPCity.dat
-    rm -f /usr/share/GeoIP/maxmind.dat.gz
-  else
-    echo Did not correctly download maxmind geoip city database
-  fi
-
-  # If new file is not created, move the old file back
-  if [ ! -f "/usr/share/GeoIP/GeoIPCity.dat" ]; then
-    echo GeoIPCity.dat was not created
-    
-    if [ -f "/usr/share/GeoIP/GeoIPCity.dat.bak" ]; then
-        mv /usr/share/GeoIP/GeoIPCity.dat.bak /usr/share/GeoIP/GeoIPCity.dat
-    fi
-  fi
-else
-  echo skipping GeoIP database update
-fi
-

setup/web.sh

@@ -19,7 +19,7 @@ fi
 
 echo "Installing Nginx (web server)..."
 
-apt_install nginx php-cli php-fpm idn2 libnginx-mod-http-geoip
+apt_install nginx php-cli php-fpm idn2 libnginx-mod-http-geoip2
 
 rm -f /etc/nginx/sites-enabled/default