<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:initial;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Oops, I just noticed I don’t have a Subject. Sorry about that. The firewall that we use is really cumbersome when it comes to geo ip blocking in my opinion so I decided to do it in nginx. I forgot to mention too that when I put the IP address in the server that I don’t want to block I still get the 403. So I can’t seem to find a way to allow the 192.168.1.0/24 network while keeping geo blocking.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>map $geoip_country_code $country_access {<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> "US" 0;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <b>‘<a href="http://192.168.1.0/24">192.168.1.0/24</a>’ 0</b>;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> default 1;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> }<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Sent from <a href="https://go.microsoft.com/fwlink/?LinkId=550986">Mail</a> for Windows 10</p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='border:none;padding:0in'><b>From: </b><a href="mailto:lists@lazygranch.com">lists</a><br><b>Sent: </b>Friday, April 12, 2019 9:58 PM<br><b>To: </b><a href="mailto:nginx@nginx.org">Nginx</a><br><b>Subject: </b>Re: [no subject]</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-family:"initial",serif'>Perhaps a dumb question, but if all you are going to do is return a 403, why not just do this filtering in the firewall by blocking the offending IP space. Yeah I know a server should always have some response, but it isn't like you would be the first person to just block entire countries. (I don't do this on 80/443, but I do block most email ports outside the US.) <o:p></o:p></span></p><div name=BB10 id="BB10_response_div_BBPPID"><p class=MsoNormal><span style='font-family:"initial",serif'><o:p> </o:p></span></p></div><div name=BB10 id="BB10_response_div_BBPPID"><p class=MsoNormal><span style='font-family:"initial",serif'>The only reason I mention this is Nginx blocking is more CPU intensive than the firewall. On a small VPS, you might notice the difference in loadomg.<o:p></o:p></span></p></div><div name=BB10 id="BB10_response_div_BBPPID"><p class=MsoNormal><span style='font-family:"initial",serif'><o:p> </o:p></span></p></div><div name=BB10 id="response_div_spacer_BBPPID"><p class=MsoNormal><span style='font-family:"initial",serif'><o:p> </o:p></span></p></div><div id="_original_msg_header_BBPPID"><table class=MsoNormalTable border=0 cellpadding=0 width="100%" style='width:100.0%;background:white'><tr><td style='padding:.75pt .75pt .75pt .75pt'><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;border-image: initial'><div id=from><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext'> softwareinfojam@gmail.com<o:p></o:p></span></p></div><div id=sent><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext'>Sent:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext'> April 12, 2019 7:24 PM<o:p></o:p></span></p></div><div id=to><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext'>To:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext'> nginx@nginx.org<o:p></o:p></span></p></div><div id="reply_to"><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext'>Reply-to:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext'> nginx@nginx.org<o:p></o:p></span></p></div><div id=subject><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext'>Subject:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:windowtext'> <o:p></o:p></span></p></div></div></td></tr></table><p class=MsoNormal><o:p> </o:p></p></div><div name=BB10><div id=ssc11652><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi All</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I have implemented GEO IP blocking which is working just fine. I have the settings you see below. </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> map $geoip_country_code $country_access {</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> "US" 0;</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> default 1;</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> }</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> server {</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> if ($country_access = '1') {</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> return 403;</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> }</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I notice though that in the logs, the internal IP Addresses are not tagged with a country code so internal subnets are getting blocked. Would the correct solution be to enter the subnets manually such as this config below? Or is there a better solution? Oh by the way, I did try this below and it didn’t work. Trying to keep the Geographical blocking but allow some IP ranges. Any ideas on how to do this? Any help would be appreciated.</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> map $geoip_country_code $country_access {</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> "US" 0;</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <b>‘<a href="http://192.168.1.0/24">192.168.1.0/24</a>’ 0</b>;</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> default 1;</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> }</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Regards</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>SI</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal><o:p> </o:p></p></div></body></html>