apachenginxvirtualhostwhitelistnginx-location

Whitelist IPs In Nginx Virtual Host File Country Blocking


In Nginx I am checking to see if an IP is coming from a blocked country. If it is then the visitor gets a 403. I need the capability to add whitelisted IPs to allow them in even if they are part of the blocked countries.

I would prefer to whitelist the IPs at the nginx.conf location so I don't need to update 30+ virtual host files. How can I do this?

In each of the nginx virtual host files in /etc/nginx/sites-enabled

location / {
    if ($allowed_country = no) {
      return 403;
    }

    try_files $uri $uri/ /index.php$is_args$args;
}

The country list is created in /etc/nginx/nginx.conf

## GEOIP settings
    geoip_country /usr/share/GeoIP/GeoIP.dat;
    map $geoip_country_code $allowed_country {
      default yes;
      RU no;
      BR no;
      UA no;
      PH no;
      IN no;
      CN no;
    }

Solution

  • To have an filter on geoip country as well as IP Adress you need geo module Resulting in something as:

    location / {
       if ($allowed_country = no) {
         return 403;
       }
    
       if ($allowed_ip = no) {
          return 403;
       }
    
       try_files $uri $uri/ /index.php$is_args$args;
    }
    

    Plus the mapping in nginx.conf

    geo $allowed_ip {
        default        no;
    
        127.0.0.1      yes;
        192.168.1.0/24 yes;
    }
    

    This should be possible but the map directive has to be under the http context.

    I would suggest to have an include in every vhost, having the geoip settings in a separate file, to be more flexible.