Country banning

Sat Aug 29 21:09:34 MSD 2009

On Sat, Aug 29, 2009 at 08:27:55PM +0400, Igor Sysoev wrote:

> On Sat, Aug 29, 2009 at 11:41:16AM -0400, Jim Ohlstein wrote:
> 
> > We're dealing with a high degree of fraud from certain countries and 
> > would like to simply ban all IP's from those countries.
> > 
> > I seem to recall reading here that using the Geo module is more 
> > efficient for this purpose than the GeoIP module.
> > 
> > Currently I have the following in nginx.conf:
> > 
> > geo $country {
> >    include geo.conf;
> > }
> > 
> > where geo.conf is generated from MaxMind country lite csv database using 
> > geo2nginx.pl supplied with nginx.
> > 
> > In the site config I have multiple if statements like:
> > 
> > server {
> >    ...
> > 
> >    if ($country = XX) {
> >        return 403;
> >    }
> > 
> >    if ($country = YY) {
> >        return 403;
> >    }
> > 
> >    if ($country = ZZ) {
> >        return 403;
> >    }
> > 
> > ...
> > 
> > }
> > 
> > Is this more efficient than using GeoIP module? Is there a more 
> > efficient way of doing this?

> # set forbidden countries to 1, ignore others:
> perl -ne 'print "$1 1\n" if /^(\S+) (US|RU|CN|...);$/' < countries.conf > networks.conf
> 
> # aggregate networks:
> ./compress.pl networks.conf > forbidden.conf
> 
> Then use it:
> 
> geo $forbidden {
>     default  0;
>     include  forbidden.conf;
> }
> 
> server {
>      if ($forbidden) {
>          return 403;
>      }

Or if good entries are less than bad ones, you may invert the logic:

# set good countries to 0, ignore others:
perl -ne 'print "$1 0\n" if /^(\S+) (US|RU|CN|...);$/' < countries.conf > networks.conf

geo $forbidden {
    default  1;
    include  good.conf;
}

-- 
Igor Sysoev
http://sysoev.ru/en/