Welcome! Log In Create A New Profile

Advanced

Block countries - Nginx

Posted by Sathish Kumar 
Sathish Kumar
Block countries - Nginx
May 21, 2018 06:00AM
Hi All,

I have a requirement to block certain countries coming to our website. I
managed to achieved it using the ngx_http_geoip_module. I have a problem
now, if the request comes through Amazon API Gateway, how can I read the
X-forwarded-for header or block these request too.

nginx.conf
map $geoip_country_code $allow_country {
default yes;
SG no;
}


geoip_country /etc/nginx/GeoIP.dat; # the country IP database
geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database


domain.conf
if ($allow_country = no) {
return 444;
}

Thanks & Regards
Sathish.V
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
basti
Re: Block countries - Nginx
May 21, 2018 08:10AM
hello,
the way to block ip's can also be used for PTR records, I think.
Also as wildcard.

On 21.05.2018 05:49, Sathish Kumar wrote:
> Hi All,
>
> I have a requirement to block certain countries coming to our website. 
> I managed to achieved it using the ngx_http_geoip_module. I have a
> problem now, if the request comes through Amazon API Gateway, how can I
> read the X-forwarded-for header or block these request too.
>
> nginx.conf
> map $geoip_country_code $allow_country {
>  default yes; 
> SG no; 
> }
>
>
> geoip_country /etc/nginx/GeoIP.dat; # the country IP database 
> geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database
>
>
> domain.conf
> if ($allow_country = no) { 
> return 444; 
> }
>
> Thanks & Regards
> Sathish.V
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sathish Kumar
Re: Block countries - Nginx
May 22, 2018 03:40AM
Hi All,

Is there a way, I can block the clients which is coming through load
balancer using http geo ip module nginx.


Currently, I can block the clients which is not coming through load
balancer or api gateway by geo ip module.




On Mon, May 21, 2018, 2:02 PM basti <[email protected]> wrote:

> hello,
> the way to block ip's can also be used for PTR records, I think.
> Also as wildcard.
>
> On 21.05.2018 05:49, Sathish Kumar wrote:
> > Hi All,
> >
> > I have a requirement to block certain countries coming to our website.
> > I managed to achieved it using the ngx_http_geoip_module. I have a
> > problem now, if the request comes through Amazon API Gateway, how can I
> > read the X-forwarded-for header or block these request too.
> >
> > nginx.conf
> > map $geoip_country_code $allow_country {
> > default yes;
> > SG no;
> > }
> >
> >
> > geoip_country /etc/nginx/GeoIP.dat; # the country IP database
> > geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database
> >
> >
> > domain.conf
> > if ($allow_country = no) {
> > return 444;
> > }
> >
> > Thanks & Regards
> > Sathish.V
> >
> >
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
basti
Re: Block countries - Nginx
May 22, 2018 09:10AM
Hello,
if you have access to this load balancer, the best way would be to block
it there. This also drop down the system load on your load balancer.

Am 22.05.2018 um 03:37 schrieb Sathish Kumar:
> Hi All,
>
> Is there a way, I can block the clients which is coming through load
> balancer using http geo ip module nginx.
>
>
> Currently, I can block the clients which is not coming through load
> balancer or api gateway by geo ip module.
>
>
>
>
> On Mon, May 21, 2018, 2:02 PM basti <[email protected]
> <mailto:[email protected]>> wrote:
>
> hello,
> the way to block ip's can also be used for PTR records, I think.
> Also as wildcard.
>
> On 21.05.2018 05:49, Sathish Kumar wrote:
> > Hi All,
> >
> > I have a requirement to block certain countries coming to our
> website. 
> > I managed to achieved it using the ngx_http_geoip_module. I have a
> > problem now, if the request comes through Amazon API Gateway, how
> can I
> > read the X-forwarded-for header or block these request too.
> >
> > nginx.conf
> > map $geoip_country_code $allow_country {
> >  default yes; 
> > SG no; 
> > }
> >
> >
> > geoip_country /etc/nginx/GeoIP.dat; # the country IP database 
> > geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database
> >
> >
> > domain.conf
> > if ($allow_country = no) { 
> > return 444; 
> > }
> >
> > Thanks & Regards
> > Sathish.V
> >
> >
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org <mailto:[email protected]>
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> _______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:[email protected]>
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Aleksandar Lazic
Re: Block countries - Nginx
May 22, 2018 10:30AM
On 21/05/2018 11:49, Sathish Kumar wrote:
> Hi All,
>
> I have a requirement to block certain countries coming to our website. I
> managed to achieved it using the ngx_http_geoip_module. I have a problem
> now, if the request comes through Amazon API Gateway, how can I read the
> X-forwarded-for header or block these request too.
>
> nginx.conf
> map $geoip_country_code $allow_country {
> default yes;
> SG no;
> }
>
>
> geoip_country /etc/nginx/GeoIP.dat; # the country IP database
> geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database
>
>
> domain.conf
> if ($allow_country = no) {
> return 444;
> }

You can try to use $http_x_forwarded_for in the map.
I think this blog post could point you in the right direction.

https://serversforhackers.com/c/nginx-mapping-headers

> Thanks & Regards
> Sathish.V

Best Regards
aleks
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Frank Liu
Re: Block countries - Nginx
May 22, 2018 10:50AM
Instead of the default nginx geoip module , I suggest you switch to third
party geoip2 module for two reasons:
1) maxmind deprecated geoip1 db.
2)geoip2 module can do what you wanted, and the geo lookup can be based on
any variables, such as $http_x_forwarded_for
Frank

On Mon, May 21, 2018 at 6:37 PM Sathish Kumar <[email protected]> wrote:

> Hi All,
>
> Is there a way, I can block the clients which is coming through load
> balancer using http geo ip module nginx.
>
>
> Currently, I can block the clients which is not coming through load
> balancer or api gateway by geo ip module.
>
>
>
>
> On Mon, May 21, 2018, 2:02 PM basti <mailinglis[email protected]> wrote:
>
>> hello,
>> the way to block ip's can also be used for PTR records, I think.
>> Also as wildcard.
>>
>> On 21.05.2018 05:49, Sathish Kumar wrote:
>> > Hi All,
>> >
>> > I have a requirement to block certain countries coming to our website.
>> > I managed to achieved it using the ngx_http_geoip_module. I have a
>> > problem now, if the request comes through Amazon API Gateway, how can I
>> > read the X-forwarded-for header or block these request too.
>> >
>> > nginx.conf
>> > map $geoip_country_code $allow_country {
>> > default yes;
>> > SG no;
>> > }
>> >
>> >
>> > geoip_country /etc/nginx/GeoIP.dat; # the country IP database
>> > geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database
>> >
>> >
>> > domain.conf
>> > if ($allow_country = no) {
>> > return 444;
>> > }
>> >
>> > Thanks & Regards
>> > Sathish.V
>> >
>> >
>> > _______________________________________________
>> > nginx mailing list
>> > nginx@nginx.org
>> > http://mailman.nginx.org/mailman/listinfo/nginx
>> >
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sathish Kumar
Re: Block countries - Nginx
May 24, 2018 04:00AM
How can I get the client IP address if the request is coming through load
balancer or Proxy and pass it to default nginx geoip module to block it
based on the Country.

On Tue, May 22, 2018, 4:45 PM Frank Liu <[email protected]> wrote:

> Instead of the default nginx geoip module , I suggest you switch to third
> party geoip2 module for two reasons:
> 1) maxmind deprecated geoip1 db.
> 2)geoip2 module can do what you wanted, and the geo lookup can be based on
> any variables, such as $http_x_forwarded_for
> Frank
>
> On Mon, May 21, 2018 at 6:37 PM Sathish Kumar <[email protected]> wrote:
>
>> Hi All,
>>
>> Is there a way, I can block the clients which is coming through load
>> balancer using http geo ip module nginx.
>>
>>
>> Currently, I can block the clients which is not coming through load
>> balancer or api gateway by geo ip module.
>>
>>
>>
>>
>> On Mon, May 21, 2018, 2:02 PM basti <[email protected]> wrote:
>>
>>> hello,
>>> the way to block ip's can also be used for PTR records, I think.
>>> Also as wildcard.
>>>
>>> On 21.05.2018 05:49, Sathish Kumar wrote:
>>> > Hi All,
>>> >
>>> > I have a requirement to block certain countries coming to our website.
>>> > I managed to achieved it using the ngx_http_geoip_module. I have a
>>> > problem now, if the request comes through Amazon API Gateway, how can I
>>> > read the X-forwarded-for header or block these request too.
>>> >
>>> > nginx.conf
>>> > map $geoip_country_code $allow_country {
>>> > default yes;
>>> > SG no;
>>> > }
>>> >
>>> >
>>> > geoip_country /etc/nginx/GeoIP.dat; # the country IP database
>>> > geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database
>>> >
>>> >
>>> > domain.conf
>>> > if ($allow_country = no) {
>>> > return 444;
>>> > }
>>> >
>>> > Thanks & Regards
>>> > Sathish.V
>>> >
>>> >
>>> > _______________________________________________
>>> > nginx mailing list
>>> > nginx@nginx.org
>>> > http://mailman.nginx.org/mailman/listinfo/nginx
>>> >
>>> _______________________________________________
>>> nginx mailing list
>>> nginx@nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Frank Liu
Re: Block countries - Nginx
May 24, 2018 05:30AM
Since only load balancer sees the client IP, it has to pass that
information to nginx. You need to talk to your LB engineer and depending on
the type of LB, there are different ways to do that. Once the information
is passed to nginx, nginx will expose it as a variable, which can then be
used by the geoip2 module to do the lookup and create country code for you
to use for blocking.

On Wed, May 23, 2018 at 6:51 PM, Sathish Kumar <[email protected]> wrote:

> How can I get the client IP address if the request is coming through load
> balancer or Proxy and pass it to default nginx geoip module to block it
> based on the Country.
>
> On Tue, May 22, 2018, 4:45 PM Frank Liu <[email protected]> wrote:
>
>> Instead of the default nginx geoip module , I suggest you switch to third
>> party geoip2 module for two reasons:
>> 1) maxmind deprecated geoip1 db.
>> 2)geoip2 module can do what you wanted, and the geo lookup can be based
>> on any variables, such as $http_x_forwarded_for
>> Frank
>>
>> On Mon, May 21, 2018 at 6:37 PM Sathish Kumar <[email protected]> wrote:
>>
>>> Hi All,
>>>
>>> Is there a way, I can block the clients which is coming through load
>>> balancer using http geo ip module nginx.
>>>
>>>
>>> Currently, I can block the clients which is not coming through load
>>> balancer or api gateway by geo ip module.
>>>
>>>
>>>
>>>
>>> On Mon, May 21, 2018, 2:02 PM basti <[email protected]>
>>> wrote:
>>>
>>>> hello,
>>>> the way to block ip's can also be used for PTR records, I think.
>>>> Also as wildcard.
>>>>
>>>> On 21.05.2018 05:49, Sathish Kumar wrote:
>>>> > Hi All,
>>>> >
>>>> > I have a requirement to block certain countries coming to our
>>>> website.
>>>> > I managed to achieved it using the ngx_http_geoip_module. I have a
>>>> > problem now, if the request comes through Amazon API Gateway, how can
>>>> I
>>>> > read the X-forwarded-for header or block these request too.
>>>> >
>>>> > nginx.conf
>>>> > map $geoip_country_code $allow_country {
>>>> > default yes;
>>>> > SG no;
>>>> > }
>>>> >
>>>> >
>>>> > geoip_country /etc/nginx/GeoIP.dat; # the country IP database
>>>> > geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database
>>>> >
>>>> >
>>>> > domain.conf
>>>> > if ($allow_country = no) {
>>>> > return 444;
>>>> > }
>>>> >
>>>> > Thanks & Regards
>>>> > Sathish.V
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > nginx mailing list
>>>> > nginx@nginx.org
>>>> > http://mailman.nginx.org/mailman/listinfo/nginx
>>>> >
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx@nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx@nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Peter Booth
Re: Block countries - Nginx
May 24, 2018 05:50AM
If you can dump your http traffic you will probably see a headers with names like:
X-Real-IP
X-Forwarded-For

Sent from my iPhone

> On May 23, 2018, at 11:25 PM, Frank Liu <[email protected]> wrote:
>
> Since only load balancer sees the client IP, it has to pass that information to nginx. You need to talk to your LB engineer and depending on the type of LB, there are different ways to do that. Once the information is passed to nginx, nginx will expose it as a variable, which can then be used by the geoip2 module to do the lookup and create country code for you to use for blocking.
>
>> On Wed, May 23, 2018 at 6:51 PM, Sathish Kumar <[email protected]> wrote:
>> How can I get the client IP address if the request is coming through load balancer or Proxy and pass it to default nginx geoip module to block it based on the Country.
>>
>>> On Tue, May 22, 2018, 4:45 PM Frank Liu <[email protected]> wrote:
>>> Instead of the default nginx geoip module , I suggest you switch to third party geoip2 module for two reasons:
>>> 1) maxmind deprecated geoip1 db.
>>> 2)geoip2 module can do what you wanted, and the geo lookup can be based on any variables, such as $http_x_forwarded_for
>>> Frank
>>>
>>>> On Mon, May 21, 2018 at 6:37 PM Sathish Kumar <[email protected]> wrote:
>>>> Hi All,
>>>>
>>>> Is there a way, I can block the clients which is coming through load balancer using http geo ip module nginx.
>>>>
>>>>
>>>> Currently, I can block the clients which is not coming through load balancer or api gateway by geo ip module.
>>>>
>>>>
>>>>
>>>>
>>>>> On Mon, May 21, 2018, 2:02 PM basti <[email protected]> wrote:
>>>>> hello,
>>>>> the way to block ip's can also be used for PTR records, I think.
>>>>> Also as wildcard.
>>>>>
>>>>> On 21.05.2018 05:49, Sathish Kumar wrote:
>>>>> > Hi All,
>>>>> >
>>>>> > I have a requirement to block certain countries coming to our website.
>>>>> > I managed to achieved it using the ngx_http_geoip_module. I have a
>>>>> > problem now, if the request comes through Amazon API Gateway, how can I
>>>>> > read the X-forwarded-for header or block these request too.
>>>>> >
>>>>> > nginx.conf
>>>>> > map $geoip_country_code $allow_country {
>>>>> > default yes;
>>>>> > SG no;
>>>>> > }
>>>>> >
>>>>> >
>>>>> > geoip_country /etc/nginx/GeoIP.dat; # the country IP database
>>>>> > geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database
>>>>> >
>>>>> >
>>>>> > domain.conf
>>>>> > if ($allow_country = no) {
>>>>> > return 444;
>>>>> > }
>>>>> >
>>>>> > Thanks & Regards
>>>>> > Sathish.V
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> > nginx mailing list
>>>>> > nginx@nginx.org
>>>>> > http://mailman.nginx.org/mailman/listinfo/nginx
>>>>> >
>>>>> _______________________________________________
>>>>> nginx mailing list
>>>>> nginx@nginx.org
>>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx@nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>> _______________________________________________
>>> nginx mailing list
>>> nginx@nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sathish Kumar
Re: Block countries - Nginx
May 24, 2018 04:00PM
Hi,
The client is already sending the X-Forwarded-For but when it received on
server it has multiple ips, how we can filter only the 1st IP and pass it
to geo ip module to block the IP based on Country.

On Thu, May 24, 2018, 11:25 AM Frank Liu <[email protected]> wrote:

> Since only load balancer sees the client IP, it has to pass that
> information to nginx. You need to talk to your LB engineer and depending on
> the type of LB, there are different ways to do that. Once the information
> is passed to nginx, nginx will expose it as a variable, which can then be
> used by the geoip2 module to do the lookup and create country code for you
> to use for blocking.
>
> On Wed, May 23, 2018 at 6:51 PM, Sathish Kumar <[email protected]> wrote:
>
>> How can I get the client IP address if the request is coming through load
>> balancer or Proxy and pass it to default nginx geoip module to block it
>> based on the Country.
>>
>> On Tue, May 22, 2018, 4:45 PM Frank Liu <[email protected]> wrote:
>>
>>> Instead of the default nginx geoip module , I suggest you switch to
>>> third party geoip2 module for two reasons:
>>> 1) maxmind deprecated geoip1 db.
>>> 2)geoip2 module can do what you wanted, and the geo lookup can be based
>>> on any variables, such as $http_x_forwarded_for
>>> Frank
>>>
>>> On Mon, May 21, 2018 at 6:37 PM Sathish Kumar <[email protected]>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>> Is there a way, I can block the clients which is coming through load
>>>> balancer using http geo ip module nginx.
>>>>
>>>>
>>>> Currently, I can block the clients which is not coming through load
>>>> balancer or api gateway by geo ip module.
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, May 21, 2018, 2:02 PM basti <[email protected]>
>>>> wrote:
>>>>
>>>>> hello,
>>>>> the way to block ip's can also be used for PTR records, I think.
>>>>> Also as wildcard.
>>>>>
>>>>> On 21.05.2018 05:49, Sathish Kumar wrote:
>>>>> > Hi All,
>>>>> >
>>>>> > I have a requirement to block certain countries coming to our
>>>>> website.
>>>>> > I managed to achieved it using the ngx_http_geoip_module. I have a
>>>>> > problem now, if the request comes through Amazon API Gateway, how
>>>>> can I
>>>>> > read the X-forwarded-for header or block these request too.
>>>>> >
>>>>> > nginx.conf
>>>>> > map $geoip_country_code $allow_country {
>>>>> > default yes;
>>>>> > SG no;
>>>>> > }
>>>>> >
>>>>> >
>>>>> > geoip_country /etc/nginx/GeoIP.dat; # the country IP database
>>>>> > geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database
>>>>> >
>>>>> >
>>>>> > domain.conf
>>>>> > if ($allow_country = no) {
>>>>> > return 444;
>>>>> > }
>>>>> >
>>>>> > Thanks & Regards
>>>>> > Sathish.V
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> > nginx mailing list
>>>>> > nginx@nginx.org
>>>>> > http://mailman.nginx.org/mailman/listinfo/nginx
>>>>> >
>>>>> _______________________________________________
>>>>> nginx mailing list
>>>>> nginx@nginx.org
>>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx@nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx@nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
Re: Block countries - Nginx
May 25, 2018 01:00AM
On Thu, May 24, 2018 at 09:57:24PM +0800, Sathish Kumar wrote:

Hi there,

> The client is already sending the X-Forwarded-For but when it received on
> server it has multiple ips, how we can filter only the 1st IP and pass it
> to geo ip module to block the IP based on Country.

Does http://nginx.org/en/docs/http/ngx_http_realip_module.html do what
you want?

Note: you will have to decide which part of X-Forwarded-For to trust,
since the client can write anything they want to in there. That is what
set_real_ip_from is for.

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Peter Booth
Re: Block countries - Nginx
May 25, 2018 07:10AM
Dont.

You should let every tier do it’s job. Just because nginx has geoid functionality doesn’t mean that you should use it.
If you are lucky enough to have hardware load balancer in front of nginx then do the blocking there, so you reduce the
load on your nginx. The Golden Rule of keeping websites up is “Protect the back-end.”
The best way to do that is to handle the request as soon as possible:

1 browser cache
2 CDN
3 load balancer
4 nginx reverse caching proxy
5 backend dynamic systems

Any request that gets to level 4 that could hav been handled by level 1, 2, or 3 is just dumb.



> On 24 May 2018, at 9:57 AM, Sathish Kumar <[email protected]> wrote:
>
> Hi,
> The client is already sending the X-Forwarded-For but when it received on server it has multiple ips, how we can filter only the 1st IP and pass it to geo ip module to block the IP based on Country.
>
> On Thu, May 24, 2018, 11:25 AM Frank Liu <[email protected] <mailto:[email protected]>> wrote:
> Since only load balancer sees the client IP, it has to pass that information to nginx. You need to talk to your LB engineer and depending on the type of LB, there are different ways to do that. Once the information is passed to nginx, nginx will expose it as a variable, which can then be used by the geoip2 module to do the lookup and create country code for you to use for blocking.
>
> On Wed, May 23, 2018 at 6:51 PM, Sathish Kumar <[email protected] <mailto:[email protected]>> wrote:
> How can I get the client IP address if the request is coming through load balancer or Proxy and pass it to default nginx geoip module to block it based on the Country.
>
> On Tue, May 22, 2018, 4:45 PM Frank Liu <[email protected] <mailto:[email protected]>> wrote:
> Instead of the default nginx geoip module , I suggest you switch to third party geoip2 module for two reasons:
> 1) maxmind deprecated geoip1 db.
> 2)geoip2 module can do what you wanted, and the geo lookup can be based on any variables, such as $http_x_forwarded_for
> Frank
>
> On Mon, May 21, 2018 at 6:37 PM Sathish Kumar <[email protected] <mailto:[email protected]>> wrote:
> Hi All,
>
> Is there a way, I can block the clients which is coming through load balancer using http geo ip module nginx.
>
>
> Currently, I can block the clients which is not coming through load balancer or api gateway by geo ip module.
>
>
>
>
> On Mon, May 21, 2018, 2:02 PM basti <[email protected] <mailto:[email protected]>> wrote:
> hello,
> the way to block ip's can also be used for PTR records, I think.
> Also as wildcard.
>
> On 21.05.2018 05:49, Sathish Kumar wrote:
> > Hi All,
> >
> > I have a requirement to block certain countries coming to our website.
> > I managed to achieved it using the ngx_http_geoip_module. I have a
> > problem now, if the request comes through Amazon API Gateway, how can I
> > read the X-forwarded-for header or block these request too.
> >
> > nginx.conf
> > map $geoip_country_code $allow_country {
> > default yes;
> > SG no;
> > }
> >
> >
> > geoip_country /etc/nginx/GeoIP.dat; # the country IP database
> > geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database
> >
> >
> > domain.conf
> > if ($allow_country = no) {
> > return 444;
> > }
> >
> > Thanks & Regards
> > Sathish.V
> >
> >
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org <mailto:[email protected]>
> > http://mailman.nginx.org/mailman/listinfo/nginx http://mailman.nginx.org/mailman/listinfo/nginx
> >
> _______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:[email protected]>
> http://mailman.nginx.org/mailman/listinfo/nginx http://mailman.nginx.org/mailman/listinfo/nginx_______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:[email protected]>
> http://mailman.nginx.org/mailman/listinfo/nginx http://mailman.nginx.org/mailman/listinfo/nginx_______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:[email protected]>
> http://mailman.nginx.org/mailman/listinfo/nginx http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:[email protected]>
> http://mailman.nginx.org/mailman/listinfo/nginx http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:[email protected]>
> http://mailman.nginx.org/mailman/listinfo/nginx http://mailman.nginx.org/mailman/listinfo/nginx_______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login