Previous Message Next Message
Forum List Message List New Topic Print View
Francis Daly
April 17, 2019 08:40AM
On Fri, Apr 12, 2019 at 09:24:01PM -0500, Software Info wrote:

Hi there,

> I notice though that in the logs, the internal IP Addresses are not
> tagged with a country code so internal subnets are getting blocked. Would
> the correct solution be to enter the subnets manually such as this config
> below? Or is there a better solution?

You use something to set $geoip_country_code, which compares the source
IP address with its database of locations.

You want to allow certain $geoip_country_code values, and also to allow
certain IP addresses.

One possibility:

* can you see the $geoip_country_code that is set for the addresses you
want to allow (probably blank)?
* are you happy to allow every address that gets that same value?

If so, use

map $geoip_country_code $country_access {
"US"    0;
"" 0;
default 1;
}


Another possibility:

* change the database that your tool uses, so that the addresses you
care about (192.168.1.0/24, but not 192.168.2.0/24, for example) set
$geoip_country_code to a value such as "LAN" or something else that it
not otherwise used.
* Then - same as above, but allow "LAN" instead of "".

And another way could be to make your own variable, based on a combination
of the things that you care about. Conceptually (but this does not work),
you want

# Do not use this
geo $my_country {
192.168.1.0/24 "LAN";
default $geoip_country_code;
}

and then use $my_country to check validity. In practice instead, you
would want something like (untested by me!):

geo $lan_ip {
192.168.1.0/24 "LAN";
default "";
}
map $geoip_country_code$lan_ip $country_access {
"US"    0;
"LAN" 0;
default 1;
}

which does assume that anything that has $lan_ip set, will have
$geoip_country_code blank (or will get the default value). I think that
for your case of private rfc1918 addresses, this is ok. It is not a
general solution. (It could be adapted to become one, if necessary.)


Do be aware that, depending on your config, the thing that sets
$geoip_country_code and the thing that sets $lan_ip may not be reading
from the same value. So you'll probably want to make sure that they do,
for consistency.

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

(no subject)

Software Info April 12, 2019 10:26PM

Re: [no subject]

daBee April 13, 2019 08:10AM

Re: your mail (GEO IP blocking)

Francis Daly April 17, 2019 08:40AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 256
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready