your mail (GEO IP blocking)

Francis Daly francis at daoine.org
Wed Apr 17 12:38:53 UTC 2019 

On Fri, Apr 12, 2019 at 09:24:01PM -0500, Software Info wrote:

Hi there,

> I notice though that in the logs, the internal IP Addresses are not
> tagged with a country code so internal subnets are getting blocked. Would
> the correct solution be to enter the subnets manually such as this config
> below? Or is there a better solution?

You use something to set $geoip_country_code, which compares the source
IP address with its database of locations.

You want to allow certain $geoip_country_code values, and also to allow
certain IP addresses.

One possibility:

* can you see the $geoip_country_code that is set for the addresses you
want to allow (probably blank)?
* are you happy to allow every address that gets that same value?

If so, use

  map $geoip_country_code $country_access {
    "US"    0;
    ""      0;
    default 1;
  }


Another possibility:

* change the database that your tool uses, so that the addresses you
care about (192.168.1.0/24, but not 192.168.2.0/24, for example) set
$geoip_country_code to a value such as "LAN" or something else that it
not otherwise used.
* Then - same as above, but allow "LAN" instead of "".

And another way could be to make your own variable, based on a combination
of the things that you care about. Conceptually (but this does not work),
you want

  # Do not use this
  geo $my_country {
    192.168.1.0/24 "LAN";
    default $geoip_country_code;
  }

and then use $my_country to check validity. In practice instead, you
would want something like (untested by me!):

  geo $lan_ip {
    192.168.1.0/24 "LAN";
    default "";
  }
  map $geoip_country_code$lan_ip $country_access {
    "US"    0;
    "LAN"   0;
    default 1;
  }

which does assume that anything that has $lan_ip set, will have
$geoip_country_code blank (or will get the default value). I think that
for your case of private rfc1918 addresses, this is ok. It is not a
general solution. (It could be adapted to become one, if necessary.)


Do be aware that, depending on your config, the thing that sets
$geoip_country_code and the thing that sets $lan_ip may not be reading
from the same value. So you'll probably want to make sure that they do,
for consistency.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list