Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

IP Filtering on NGINX Server

DZone's Guide to

IP Filtering on NGINX Server

Today, we go over how to block certain IP addresses from being able to access your site by using the power of the NGINX server.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Sometimes, there are scenarios in which we want our website to be accessible only by certain countries. For achieving this, we need to filter requests on the basis of IP addresses on our server.

In this blog, we'll be discussing how we can allow access to your website from certain countries and block countries on the basis of IP address on an NGINX server.

We'll be using the GeoIP module for IP filtering.

The GeoIp module creates variables based on the client IP address, using the precompiled MaxMind GeoIP databases, for both HTTP and TCP/UDP traffic.

The following steps need to be executed in order to implement IP Filtering on your NGINX server:

Step 1: Compile Nginx Server

nginx -V

If you see --with-http_geoip_module in the output, you are ready to use the GeoIP database with NGINX and move to step 3; otherwise, continue with step 2.

Step 2: Install GeoIP Database

apt-get install geoip-database libgeoip1

GeoIP DB provides us the mapping of IP addresses to its corresponding country code (ex. all IP addresses in India will be mapped to the code IN).

It is possible that it is a bit outdated. We can update the database with the following command:

1. cd /usr/share/GeoIP/
2. wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
3. gunzip GeoIP.dat.gz

Step 3: Configure Nginx.conf

Open /etc/nginx/nginx.conf

vi etc/nginx/nginx.conf

Place the following code in the http{} block:

geoip_country /usr/share/GeoIP/GeoIP.dat;

map $geoip country_code $allowed_country {
        default no;
         US yes;
         IN yes;
}

This sets the $allowed_country variable to yes if the server is being accessed from the US or India. For any other IP address, the variable will be set to the default value.

NOTE: This code block does not block any country from accessing the website. It simply sets the $allowed_country variable value.

Step 4: Configure Virtual Host File

Now, to block a country we need to update your default conf file.

Open /etc/nginx/sites-available/default

vi /etc/nginx/sites-available/default

And add the following code inside server{} block:

if ($allowed_country = no) {

      return 403;

}

This will return a 403 Forbidden response when a non-US or non-Indian IP address tries to access your server.

Step 5: Restart NGINX Server

Now we just need to restart our NGINX server.

sudo service nginx restart

So, we just saw how we can implement IP filtering on our Nginx server. In my next blog post, I'll be explaining how to make your website accessible to certain IP addresses of countries blocked by our server. Till then, enjoy!

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
nginx ,security ,ip address

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}