Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

IP Filtering on NGINX Server

DZone's Guide to

IP Filtering on NGINX Server

Today, we go over how to block certain IP addresses from being able to access your site by using the power of the NGINX server.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

Sometimes, there are scenarios in which we want our website to be accessible only by certain countries. For achieving this, we need to filter requests on the basis of IP addresses on our server.

In this blog, we'll be discussing how we can allow access to your website from certain countries and block countries on the basis of IP address on an NGINX server.

We'll be using the GeoIP module for IP filtering.

The GeoIp module creates variables based on the client IP address, using the precompiled MaxMind GeoIP databases, for both HTTP and TCP/UDP traffic.

The following steps need to be executed in order to implement IP Filtering on your NGINX server:

Step 1: Compile Nginx Server

nginx -V

If you see --with-http_geoip_module in the output, you are ready to use the GeoIP database with NGINX and move to step 3; otherwise, continue with step 2.

Step 2: Install GeoIP Database

apt-get install geoip-database libgeoip1

GeoIP DB provides us the mapping of IP addresses to its corresponding country code (ex. all IP addresses in India will be mapped to the code IN).

It is possible that it is a bit outdated. We can update the database with the following command:

1. cd /usr/share/GeoIP/
2. wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
3. gunzip GeoIP.dat.gz

Step 3: Configure Nginx.conf

Open /etc/nginx/nginx.conf

vi etc/nginx/nginx.conf

Place the following code in the http{} block:

geoip_country /usr/share/GeoIP/GeoIP.dat;

map $geoip country_code $allowed_country {
        default no;
         US yes;
         IN yes;
}

This sets the $allowed_country variable to yes if the server is being accessed from the US or India. For any other IP address, the variable will be set to the default value.

NOTE: This code block does not block any country from accessing the website. It simply sets the $allowed_country variable value.

Step 4: Configure Virtual Host File

Now, to block a country we need to update your default conf file.

Open /etc/nginx/sites-available/default

vi /etc/nginx/sites-available/default

And add the following code inside server{} block:

if ($allowed_country = no) {

      return 403;

}

This will return a 403 Forbidden response when a non-US or non-Indian IP address tries to access your server.

Step 5: Restart NGINX Server

Now we just need to restart our NGINX server.

sudo service nginx restart

So, we just saw how we can implement IP filtering on our Nginx server. In my next blog post, I'll be explaining how to make your website accessible to certain IP addresses of countries blocked by our server. Till then, enjoy!

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Topics:
nginx ,security ,ip address

Published at DZone with permission of Rishabh Verma, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}