Tutorial: Block requests by country

Foremost I translated this topic myself from: Tuto: Bloquer les requêtes selon le pays Just for convenience. So all credits go’s to there! These are only the basics!

Good morning,

Tutorial update on 10/17/21

  1. Create the following hook:
    /etc/yunohost/hooks.d/conf_regen/18-nginx_geoip
#!/bin/bash

# if not present, add package geoip-database with apt install geoip-database

##############################################
#Beware, i'm not sure this command is universal. You must test it before. If not, you can find the result with the command ip route, this one must be like 192.168.0.0/24 or similar. Then replace the variable $network_address with it.
#Attention, je ne suis pas certain que cette commande est universelle. Vous devez la tester au préalable. Si ce n'est pas le cas, vous pouvez trouver la réponse avec la commande ip route, celle-ci doit être de la forme 192.168.0.0/24 ou similaire. Remplacez alors la variable $network_address par celle-ci.
network_address=$(awk '{print $1}' <(grep src <(ip route)))
################################################
action=$1
pending_dir=$4
nginx_dir=$pending_dir/../nginx/etc/nginx
nginx_security_conf=$nginx_dir/conf.d/security.conf.inc
nginx_country_conf=$nginx_dir/conf.d/country.conf

[[ $action == "pre" ]] || exit 0
[[ -d $nginx_dir ]] || exit 0
[[ -e $nginx_security_conf ]] || exit 0

echo "# GeoIP databases
geoip_country /usr/share/GeoIP/GeoIP.dat;

map \$geoip_country_code \$allowed_country {
  default no;
  # France
  FR yes;
  # Italie
  #IT yes;
}

geo \$lan-ip {
  default no;
  $network_address yes;
}" > $nginx_country_conf

echo '

# allow local ip
if ($lan-ip = yes) {
  set $allowed_country yes;
}
# block the country
if ($allowed_country = no) {
  return 444;
}' >> $nginx_security_conf

##############################################################

  1. Create the GeoIp database update script /etc/cron.weekly/Geoipupdate :
#!/bin/bash

maj_geoip () {
    cd /usr/share/GeoIP
    wget https://mailfud.org/geoip-legacy/GeoIP.dat.gz
    gunzip -f GeoIP.dat.gz
    wget https://mailfud.org/geoip-legacy/GeoIPv6.dat.gz
    gunzip -f GeoIPv6.dat.gz
}

last=/usr/local/etc/last
update=$(sed -n 's,.*<b>\(.*\)</b>,\1,p' <(curl -s https://mailfud.org/geoip-legacy/ | grep 'Latest update'))
[[ "$(<$last)" != "$update" ]] && (echo "$update" > "$last";maj_geoip)
exit 0

Give the right in execution to the script:

sudo chmod 500 /etc/cron.weekly/Geoipupdate

Regenerate the configuration of Nginx in Yunohost:

yunohost tools regen-conf nginx --force

That’s it, it’s over.

To authorize a country, simply add it to the hook. To remove one, either pass the value yes to no, or comment on the line with a sharp. Do not forget to regenerate Yunohost’s conf nginx with regen-conf so that it is taken into account.


Important: What is below is partially obsolete, I left it for info and not to “break” the discussion thread. We must now follow what is above.

Depending on your use of Yunohost, it is not necessarily necessary to leave access from anywhere. For example, for personal use of Nextcloud, access is sufficient only from France for example and sometimes from abroad when traveling. In this case, it is possible to prohibit access from abroad with the Ip geolocation lists available here 8 and in case of travel abroad, activate access from the country concerned quickly with its iso code available on this page 4

For more info about this jump to the original topic.

2 Likes

ALSO, @admins, maybe a settings pane for this? Due to things in the world right now!

@someonsusername
If I add multiple countries like this:

# France
FR yes;
CH yes;
DE yes;

NGINX crashes upon reboot. The displayed error when restarting nginx is as following:

nginx[2303]: nginx: [emerg] invalid number of the geo parameters in /etc/nginx/conf.d/country.conf:14

Line 14 is the line with the closing bracket “}”