In Nginx I am checking to see if an IP is coming from a blocked country. If it is then the visitor gets a 403. I need the capability to add whitelisted IPs to allow them in even if they are part of the blocked countries.
I would prefer to whitelist the IPs at the nginx.conf location so I don't need to update 30+ virtual host files. How can I do this?
In each of the nginx virtual host files in /etc/nginx/sites-enabled
location / {
if ($allowed_country = no) {
return 403;
}
try_files $uri $uri/ /index.php$is_args$args;
}
The country list is created in /etc/nginx/nginx.conf
## GEOIP settings
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
RU no;
BR no;
UA no;
PH no;
IN no;
CN no;
}
To have an filter on geoip country as well as IP Adress you need geo module Resulting in something as:
location / {
if ($allowed_country = no) {
return 403;
}
if ($allowed_ip = no) {
return 403;
}
try_files $uri $uri/ /index.php$is_args$args;
}
Plus the mapping in nginx.conf
geo $allowed_ip {
default no;
127.0.0.1 yes;
192.168.1.0/24 yes;
}
This should be possible but the map directive has to be under the http context.
I would suggest to have an include in every vhost, having the geoip settings in a separate file, to be more flexible.