Computer Vision
The Math and Code Behind…
Facial alignment is a prereq…
3 years, 4 months ago
Deploy Geo-Restriced Service with Nginx, GeoIP2, and Docker
by Sabbir Ahmed
It is often a feature for a service to restrict content based on country to ensure compliance. From my personal experience, country restrictions can come in handy while under DDoS attacks. You can buy time for network and system engineers while they configure firewall and content filters. Another popular use case is we can forward the traffic to different upstreams based on geolocation with this solution. We can also use this for geofencing, local-marketing strategies, location-based user clustering... So let's get started!
Pre-requisites
To use this blog, you may need to have
- Basic level of understanding in docker and docker-compose
- Good understanding of NGINX, 3rd party module installation for NGINX, and Nginx configurations.
TL;DR
Create a MaxMind account and generate the license keys. Then create a geoupdate/.env file and update as following
GEOIPUPDATE_ACCOUNT_ID=<your-secret>
GEOIPUPDATE_LICENSE_KEY=<your-secret>
GEOIPUPDATE_EDITION_IDS=<your-secret>
clone the repo,
docker-compose up -d geoupdate
docker-compose up -d --build nginx
Then postgres it out with the following command
curl -X GET -H "Accept: application/json" http://<server-ip>
Then tweak the config/site.conf to block and unblock countries.
Please note that, this will not work with localhost. You need a real-ip to postgres it out.
Steps
- MaxMind Account and License Keys(Has free option)
- Install GeoIP module for Nginx
- Download and Configure the GeoIP database
- Nginx configuration
Installing GeoIP Module for Nginx
We have to install a third-party module to incorporate GeoIP-related tasks. We will do it in the easiest way possible, "the docker way".
The following is the first stage that will get the dependencies to build the Nginx GeoIP module. It will also help reduce image size and maintainability.
ARG NGINX_VERSION=1.19.2
FROM nginx:$NGINX_VERSION
ARG NGINX_VERSION=1.19.2
ARG GEOIP2_VERSION=3.3
RUN mkdir -p /var/lib/GeoIP/
RUN apt-get update \
&& apt-get install -y \
build-essential \
libpcre++-dev \
zlib1g-dev \
libgeoip-dev \
libmaxminddb-dev \
wget \
git
RUN cd /opt \
&& git clone --depth 1 -b $GEOIP2_VERSION --single-branch https://github.com/leev/ngx_http_geoip2_module.git \
&& wget -O - http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz | tar zxfv - \
&& mv /opt/nginx-$NGINX_VERSION /opt/nginx \
&& cd /opt/nginx \
&& ./configure --with-compat --add-dynamic-module=/opt/ngx_http_geoip2_module \
&& make modules
The second stage will copy the dependencies and install maxmind library to interpret the mmdb files.
FROM nginx:$NGINX_VERSION
COPY --from=0 /opt/nginx/objs/ngx_http_geoip2_module.so /usr/lib/nginx/modules
RUN apt-get update \
&& apt-get install -y --no-install-recommends --no-install-suggests libmaxminddb0 \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \
&& chmod -R 644 /usr/lib/nginx/modules/ngx_http_geoip2_module.so
Finally, we are ready to config our server. The only notable part is at config/nginx.config file. On lines 30-33, you can configure the allowed or disallowed countries of your own, for example, I have blocked BD which is the ISO code for Bangladesh. (It's okay because I am from Bangladesh and so an obvious choice.)
map $geoip2_data_country_iso_code $allowed_country {
default yes;
BD no;
}
Now, we can postgres out the full solution,
git clone https://github.com/by-sabbir/geoip2-nginx.git
Now, we have to address the chicken and egg problem. We can't get away without the geodatabases. So make sure you have run the geoupdate service first. Create a geoupdate/.env file and update as following
GEOIPUPDATE_ACCOUNT_ID=<your-secret>
GEOIPUPDATE_LICENSE_KEY=<your-secret>
GEOIPUPDATE_EDITION_IDS=<your-secret>
And run the following command
docker-compose up -d geoupdate
Then we are ready to run the main service
docker-compose up -d --build nginx
Check the logs to confirm nginx service is running well, (geoupdate service will exit after downloading the database)
docker-compose logs -f nginx
We can now postgres the solution,
curl -X GET -H "Accept: application/json" http://
You should get either one of the following messages back based on your configuration,
{
"code" : "100",
"message" : "Not Blocked"
}
or
{
"code" : "444",
"message" : "Blocked"
}
If so, congratulations! If not let me know in the Github issues, I am always checking. And please fill free to contribute. Cheers!