geoip module

[maxmonz69]

Hi,

is it possible to use geoip module? It seems nginx is not configured witht that module and I don't know how to install it.

thanks

[jlesage]

Module added to image version 1.12.0 :)

[Hydci]

Hello, I allow myself to reopen the ticket, I want to set up additional protection by activating only France as the authorized connection the problem and that I am a total noob in the docker system (I updated the docker on the last version) is it possible to have details on how to activate this or have an updated wiki please? thank you in advance

[maxmonz69]

I've found a generic tutorial on how use geoip but it seems we need to install geoip-databse and libgeoip1. Actually I can't install them using apk add ..... I tried to put

map $geoip_country_code $allowed_country { default no; IT yes; } on a http.conf file inside /config/nginx/custom directory. The tutorial says I also need to add geoip_country /usr/share/GeoIP/GeoIP.dat; but I can't because I can't install it.

I also added

if ($allowed_country = no) { return 444; }

and the advanced section of one of my proxy host. The result is I can't access the url.

Anybody can help me please?

[jlesage]

It seems that usage of this feature requires more integrations in the image, i.e. it's not a feature contained within Nginx itself.

Can you share the link to the tutorial you are talking about ? I will check what can be done.

[Hydci]

Hello, it would also seem that the databases are no longer available for this module you have to go through the geoip2 module

[maxmonz69]

I've found these links.

http://acmeextension.com/block-visitors-from-a-country-nginx/

https://www.reinisfischer.com/how-block-visitors-country-nginx-geoip-module

[jlesage]

@Hydci, you are right: geoip2 needs to be used instead.

This means that the required tool and library need to be added to image, along with a periodic job to download the database.

To be able to download the database, users will need to sign up on https://www.maxmind.com/en/geolite2/signup and configure/provide the license key to the container.

I am missing something else ?

[Hydci]

Hello @jlesage ,

Indeed users must register and according to my research will have to use the lite version.

For what and the docker actually be the database this update via the cron or and integrate into your docker image

That's all I think I really need

[Hydci]

I found a generic link to find out what modules are needed as well as links for free users if that can be useful to you https://medium.com/@maxime.durand.54/add-the-geoip2-module-to-nginx-f0b56e015763

[flandin]

(I'm pretty new to all this so please be gentle...) One way of doing this might be to have everything made ready in each release and just add something to the documentation what to add where and how to use it, just make sure you add updating the geoip stuff in every image. The downside would be that it is in every image and maybe now something everyone would use.

Anyway... what I really need is a description on how to use this in this image, if anyone have it up and running - please help :)

[dnguyen800]

I would love to help test and configure the GeoIP2 module if it is ever added to this container. I'm not familiar enough with Docker commands to install packages and configure Nginx, so hopefully @jlesage can help us with that and I can help with the configuration and documentation. Here is what I gathered on what is need to get GeoIP2 up and running:

• geoipupdate package needs to be installed in container
• ngx_http_geoip2_module needs to be installed and loaded in Nginx
• There needs to be a way to access the /etc/GeoIP.conf so we can add our account ID and license key from maxmind.com
  • If this can be redirected to a file on the /config volume, that should be easy enough to edit
• Confirm location of GeoLite2-Country.mmdb and GeoLite2-City.mmdb so our NGINX config can point to it
• Use the Custom NGINX configuration section in NGINX Proxy Manager to add our specific GeoIP2 configuration

[jlesage]

The GeoIP2 module is now integrated in the latest image. The whole feature could possibly be integrated into Nginx Proxy Manager, but this could take a while. So here is an exemple of how to hack the system to restrict access to proxy hosts from certain countries.

First, you need to download the GeoIP2 database from MaxMind (an account needs to be created). This database can be stored in the /config folder of the container.

The next step if to add the following block of code in /config/nginx/custom/http.conf, which define the countries you want to restrict the access from:

# Add your LAN subnet to the following list if you want to be able to access
# your Proxy Host from your local network.
geo $allowed_ip {
    default no;
    192.168.1.0/24 yes;
}

geoip2 /config/GeoLite2-Country.mmdb {
    auto_reload 10m;
    $geoip2_data_country_iso_code country iso_code;
}

map $geoip2_data_country_iso_code $allowed_country {
    default $allowed_ip;
    FR yes; # France
    BE yes; # Belgium
    DE yes; # Germany
    CH yes; # Switzerland
}

Finally, under the Advanced tab of your proxy host, add the following lines:

if ($allowed_country = no) {
    return 444;
}

If instead you want the put the restriction on all the proxy hosts, you can add this block of config in /config/nginx/custom/server_proxy.conf instead.

[dnguyen800]

Awesome, I will test it tonight and let you know of any issues. Thanks for the quick update!

Get Outlook for Androidhttps://aka.ms/ghei36

---

From: Jocelyn Le Sage notifications@github.com Sent: Tuesday, February 9, 2021 3:47:48 PM To: jlesage/docker-nginx-proxy-manager docker-nginx-proxy-manager@noreply.github.com Cc: dnguyen800 dnguyen800@hotmail.com; Comment comment@noreply.github.com Subject: Re: [jlesage/docker-nginx-proxy-manager] geoip module (#147)

The GeoIP2 module is now integrated in the latest image. The whole feature could possibly be integrated into Nginx Proxy Manager, but this could take a while. So here is an exemple of how to hack the system to restrict access to proxy hosts from certain countries.

First, you need to download the GeoIP2 database from MaxMind (an account needs to be created). This database can be stored in the /config folder of the container.

The next step if to add the following block of code in /config/nginx/custom/http.conf, which define the countries you want to restrict the access from:

Add your LAN subnet to the following list if you want to be able to access

your Proxy Host from your local network.

geo $allowed_ip { default no; 192.168.1.0/24 yes; }

geoip2 /config/GeoLite2-Country.mmdb { auto_reload 10m; $geoip2_data_country_iso_code country iso_code; }

map $geoip2_data_country_iso_code $allowed_country { default $allowed_ip; FR yes; # France BE yes; # Belgium DE yes; # Germany CH yes; # Switzerland }

Finally, under the Advanced tab of your proxy host, add the following lines:

if ($allowed_country = no) { return 444; }

If instead you want the put the restriction on all the proxy hosts, you can add this block of config in /config/nginx/custom/server_proxy.conf instead.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/jlesage/docker-nginx-proxy-manager/issues/147#issuecomment-776323042, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AF7WLS24YDNJW5FBLFLUOF3S6HCSJANCNFSM4VOHEKGQ.

[dnguyen800]

So far I'm not able to get this running.

1. I downloaded GeoLite2-Country.mmdb from maxmind.com and placed it in the /config folder of the Docker container

2. I created the server_proxy.conf file in the config/nginx/custom folder of the Docker container

3. I added your code in server_proxy.conf file:

4. I deleted my previous proxy host and created a new proxy host with same configuration, and added the following to the Advanced section

The result is that the proxy host status is offline. When I hover mouse over the status, I get this message:

NGINX Proxy Manager v2.8.0 is running, so this should the latest container image. Next step, I'll try deleting the image and redownloading to make sure I have the latest version.

[Hydci]

Hello @dnguyen800 for the geoip file version did you download the lite version for free users?

[dnguyen800]

Yes, using the free version.

Get Outlook for Androidhttps://aka.ms/ghei36

---

From: Hydci notifications@github.com Sent: Tuesday, February 9, 2021, 9:37 PM To: jlesage/docker-nginx-proxy-manager Cc: dnguyen800; Mention Subject: Re: [jlesage/docker-nginx-proxy-manager] geoip module (#147)

Hello @dnguyen800https://github.com/dnguyen800 for the geoip file version did you download the lite version for free users?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/jlesage/docker-nginx-proxy-manager/issues/147#issuecomment-776456211, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AF7WLS2XK4PTCQGD7ZAW6R3S6ILQDANCNFSM4VOHEKGQ.

[jlesage]

It's not server_proxy.conf that you should create, but http.conf.

[dnguyen800]

Thanks. When I first tried http.conf, it wouldn't work, but now it looks like it works and it is rejecting connections. I'm having issues with the mmdb itself, where it's blocking all the US IP addresses I've tried. Can anyone confirm the blocking is working as expected?

[jlesage]

Is it also blocking Canadian IPs ?

You can test the IPs against the DB using https://www.maxmind.com/en/geoip-demo

[dnguyen800]

I tested my IP address using the link you provided, and it correctly identified the city and country. I'm not sure why I can't get the module, but I'll repeat the installation steps again.

Update: no luck, I'm not able to resolve the issue. The .mmdb file looks like it loads correctly (the container fails to start if pointing to another location). I'm out of ideas!

[lordfiSh]

This works, but without Changes to the Docker Image this shouldn't be used ;)

Install GeoIP Module

echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories
apk update
apk add nginx@edge nginx-mod-http-geoip@edge

Install GeoIP Legacy Databases

cd /data # or somewhere 
wget https://dl.miyuru.lk/geoip/maxmind/country/maxmind.dat.gz
gunzip maxmind.dat.gz

Add this to your /etc/nginx/nginx.conf inside the http { part

geoip_country /data/maxmind.dat;
map $geoip_country_code $allowed_country {
    default no;
    DE yes;
}

Reload Nginx nginx -s reload -c /etc/nginx/nginx.conf

After that you can use the following in Advanced Section Section in the Proxy Hosts Settings

if ($allowed_country = no) {
    return 444;
}

[jlesage]

Note that this version of the geoip module is deprecated. Also, installing the nginx-mod-http-geoip package probably pulls nginx, which will overwrite the one installed in the container...

[jlesage]

@dnguyen800 , I tried again on my side and it's working fine (same config as yours). I'm using https://www.locabrowser.com to test access from different countries.

[dnguyen800]

I've tried many different configuration resulting in unexpected outputs, so I'm just going to blame it on my Synology NAS that has an outdated Docker. Thank you for helping me though, much appreciated. I will test again if I install Docker on another device.

[maxmonz69]

The GeoIP2 module is now integrated in the latest image. The whole feature could possibly be integrated into Nginx Proxy Manager, but this could take a while. So here is an exemple of how to hack the system to restrict access to proxy hosts from certain countries.

First, you need to download the GeoIP2 database from MaxMind (an account needs to be created). This database can be stored in the /config folder of the container.

The next step if to add the following block of code in /config/nginx/custom/http.conf, which define the countries you want to restrict the access from:

# Add your LAN subnet to the following list if you want to be able to access
# your Proxy Host from your local network.
geo $allowed_ip {
    default no;
    192.168.1.0/24 yes;
}

geoip2 /config/GeoLite2-Country.mmdb {
    auto_reload 10m;
    $geoip2_data_country_iso_code country iso_code;
}

map $geoip2_data_country_iso_code $allowed_country {
    default $allowed_ip;
    FR yes; # France
    BE yes; # Belgium
    DE yes; # Germany
    CH yes; # Switzerland
}

Finally, under the Advanced tab of your proxy host, add the following lines:

if ($allowed_country = no) {
    return 444;
}

If instead you want the put the restriction on all the proxy hosts, you can add this block of config in /config/nginx/custom/server_proxy.conf instead.

Hi, I followed your instructions and all seems to work except for the fact I can't access my servers from inside the LAN. I put 192.168.1.0/24 yes in the allowed ip. The result is ERR_HTTP2_PROTOCOL_ERROR Why?

Thanks

[maxmonz69]

Hi again,

I just found a solution but I don't know if it is the right wat. In the map section of http.conf I put an empty country code ('' yes;) and now local IPs are allowed

[masterwishx]

GeoLite2-City.mmdb also can be used instead of GeoLite2-Country.mmdb ?

[bohemtucsok]

Hi!

I had a hard time setting up the geoip module, The description that jlesage posted is perfect. The problem that is not described is that if the proxy is running in a container (bridge mode), the ip address of the docker's default gateway is displayed in the log at the client, so the geoip module does not work and the above error is written by maxmonz69.

The solution is that geoip can only work in host mode, if you run it this way, the client ip in the log will be the real one and not the docker gateway ip.

I tested it works perfectly but only so !! However, since the default ports for the container are not 80 and 443, two iptables rules must be added to the linux server.

iptables -t nat -A PREROUTING -p tcp -m tcp -i ens160 --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -p tcp -m tcp -i ens160 --dport 443 -j REDIRECT --to-ports 4443

I hope I could help with this :)