SiteHost

Enable Country-Level blocking in Cloud Containers

MaxMind is a popular geolocation service that provides IP geolocation and intelligence solutions. By utilizing MaxMind, you can block access to your websites from specific countries based on their IP addresses. In this article, we will guide you through the process of enabling and using MaxMind to block country-level IPs on your cloud container.

  1. Download the GeoLite2 Country MaxMind Database in .mmdb format from MaxMind's official website. Place it in a location inside your container (for example /container/application/GeoLite2-Country.mmdb).

  2. Enable and set up the configuration files.

For Apache, create a symlink of the MaxMind conf and load files to the mods-enabled folder:

cd /container/config/apache2/mods-enabled
ln -s ../mods-available/maxminddb.conf .
ln -s ../mods-available/maxminddb.load .

To block specific countries, add the suggested rules below to the container's .htaccess file. The list of country codes is available on this page:

<IfModule mod_maxminddb.c>
MaxMindDBEnable On
MaxMindDBFile COUNTRY_DB /container/application/GeoLite2-Country.mmdb

MaxMindDBEnv COUNTRY_CODE COUNTRY_DB/country/iso_code

SetEnvIf COUNTRY_CODE ^(RU|DE|US) BlockCountry
Deny from env=BlockCountry
</IfModule>

For Nginx, a few modifications in the config are required:

  • In /container/config/nginx/nginx.conf, load the GeoIP2 module before the events block:
pid /run/nginx.pid;

load_module modules/ngx_http_geoip2_module.so;

events {
  • Pass the MaxMind database to the GeopIP module then map the variables to allow or deny a country:
http {
        ##
        # Basic Settings
        ##

        geoip2 /container/application/GeoLite2-Country.mmdb {
            $geoip2_data_country_iso_code country iso_code;
        }

        map $geoip2_data_country_iso_code $allowed_country {
            default yes;
            DE no; # Germany
        }
  • In /container/config/nginx/sites-available/default, add an if statement to block requests from the denied country (444 is a special code in Nginx):
location / {
            try_files $uri $uri/ =404;
            if ($allowed_country = no) {
                return 444;         
            }
}

location ~ \.php$ {
            # Fix for HTTProxy
            fastcgi_param HTTP_PROXY "";

            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            include fastcgi_params;

            if ($allowed_country = no) {
                return 444;
            }
}
  1. Restart the container for changes to take effect.

Whenever changes are made to the list of allowed/denied countries in Nginx, a container restart is mandatory as it involves modifying the core configuration. On the other hand, changes made to the .htaccess file for Apache containers should take effect immediately. To test country blocking, use a website like proxysite.com as it includes an option to choose a server from different locations.

For enhanced accuracy in blocking, it is recommended to use the GeoIP2 Country database instead of the free version GeoLite2 Country database. Please note that the accuracy of these databases cannot be guaranteed to be 100% as it relies on the accuracy of the database provided by Maxmind.