3

I'd like to block IPs with geoip except whitelisted countries AND the local area network. The first part works flawless, the second one not. Somwehere searching the internet I found the codes LH (local host) and LN (local network), but they are both not working.

I'm using the standard howto code for the blocking.

The relevant http {} part in nginx.conf:

geoip_country /usr/share/GeoIP/GeoIP.dat;
   map $geoip_country_code $allowed_country {
    default no;                              
    US yes;
   }

The relevant server {} part in sites-available/default:

block countries
      if ($allowed_country = no) {
        return 444;
      }

Any suggestions would be much appreciated!

Update:

$geoip_country_code variable returns "-" on LAN IP access, but adding "- yes;" to the geoip_county block doesn't work either.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
john
  • 31
  • 1
  • 2
  • You could just log what's in `$geoip_country_code` variable when you access nginx from local network. Then just add this value to `map` directive. – Alexey Ten Mar 28 '14 at 17:40
  • If you used the access logs, then the "-" value you mentioned is used to indicate missing data (see [NCSA Common log format](https://en.wikipedia.org/wiki/Common_Log_Format)). – Silveri Oct 30 '18 at 10:12

2 Answers2

6

I found a solution - no idea if it's 'clean'. Just overwrite the $allowed_country variable if a lan IP condition was matched before.

geo $lan-ip {
default no;
192.168.1.0/24 yes;
}

and this block before the "#block countries" part

if ($lan-ip = yes) {
set $allowed_country yes;
}

sheldor
  • 63
  • 3
1

You could also do the following:

map $geoip_country_code $allowed_country {
    default no;
    '' yes;
    US yes;
}

Although it won't just apply to LAN/private network IP addresses, but to all addresses that aren't handled by your GeoIP database.

Silveri
  • 111
  • 2