your mail (GEO IP blocking)

Francis Daly francis at
Wed Apr 17 12:38:53 UTC 2019

On Fri, Apr 12, 2019 at 09:24:01PM -0500, Software Info wrote:

Hi there,

> I notice though that in the logs, the internal IP Addresses are not
> tagged with a country code so internal subnets are getting blocked. Would
> the correct solution be to enter the subnets manually such as this config
> below? Or is there a better solution?

You use something to set $geoip_country_code, which compares the source
IP address with its database of locations.

You want to allow certain $geoip_country_code values, and also to allow
certain IP addresses.

One possibility:

* can you see the $geoip_country_code that is set for the addresses you
want to allow (probably blank)?
* are you happy to allow every address that gets that same value?

If so, use

  map $geoip_country_code $country_access {
    "US"    0;
    ""      0;
    default 1;

Another possibility:

* change the database that your tool uses, so that the addresses you
care about (, but not, for example) set
$geoip_country_code to a value such as "LAN" or something else that it
not otherwise used.
* Then - same as above, but allow "LAN" instead of "".

And another way could be to make your own variable, based on a combination
of the things that you care about. Conceptually (but this does not work),
you want

  # Do not use this
  geo $my_country { "LAN";
    default $geoip_country_code;

and then use $my_country to check validity. In practice instead, you
would want something like (untested by me!):

  geo $lan_ip { "LAN";
    default "";
  map $geoip_country_code$lan_ip $country_access {
    "US"    0;
    "LAN"   0;
    default 1;

which does assume that anything that has $lan_ip set, will have
$geoip_country_code blank (or will get the default value). I think that
for your case of private rfc1918 addresses, this is ok. It is not a
general solution. (It could be adapted to become one, if necessary.)

Do be aware that, depending on your config, the thing that sets
$geoip_country_code and the thing that sets $lan_ip may not be reading
from the same value. So you'll probably want to make sure that they do,
for consistency.

Good luck with it,

Francis Daly        francis at

More information about the nginx mailing list