Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Geolocation Blocking #730

Open
Revan335 opened this issue Mar 31, 2024 · 8 comments
Open

Geolocation Blocking #730

Revan335 opened this issue Mar 31, 2024 · 8 comments
Assignees
@Zoey2936

Comments

@Revan335
Copy link

Hello,

how can I use Geolocation Blocking?
For example only from Germany, USA, Austria ... can I access to the Docker Container ... and Access/Connections from others are blocked.

This can increase the Security and lower Risk of Hacking ...

NPM don't have this Feature.
Have SWAG this? I don't know.

Can you add this?

Many Thanks!

Greetings

Revan335
@Zoey2936
Copy link
Member

Hello, I will add this with the PHP rewrite (see #731). But until then: You can mount geo databases into the NPMplus container and configure geoblocking in the advanced tab. (The nginx geoip module and the maxmind module are compiles into NPMplus)

@Zoey2936 Zoey2936 self-assigned this Mar 31, 2024
@viriatusX
Copy link

Hello, I will add this with the PHP rewrite (see #731). But until then: You can mount geo databases into the NPMplus container and configure geoblocking in the advanced tab. (The nginx geoip module and the maxmind module are compiles into NPMplus)

How i can configure in Advanced tab?
I have already mapped the Geo2Ip DBs in /data/geo2ip.

What line do I have to put? Thanks

@Zoey2936
Copy link
Member

Zoey2936 commented May 1, 2024
edited
Loading

see https://github.com/leev/ngx_http_geoip2_module and https://freenginx.org/en/docs/http/ngx_http_geoip_module.html and https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-by-geoip/

@Matthias-vdE
Copy link

Matthias-vdE commented Aug 8, 2024
edited
Loading

@Revan335 Did you manage to get this up and running? I've been reading through the document but can't seem to figure out the exact config I need to put in the Advance tab to explicitly allow/block certain countries.

From my understanding, it should be as simple as adding

geoip2 /data/etc/goaccess/geoip/GeoLite2-Country.mmdb {
    auto_reload 60m;
    $geoip2_data_country_code default=ZZ country iso_code;
}

if ($geoip2_data_country_code != "BE") {
    return 403;
}

Or alternatively:

geoip2 /data/etc/goaccess/geoip/GeoLite2-Country.mmdb {
    auto_reload 60m;
    $geoip2_data_country_code default=ZZ country iso_code;
}

map $geoip2_data_country_code $allowed_country {
    default no;
    BE yes;
}

if ($allowed_country = no) {
    return 444;
}

To the advanced tab, but that makes the host go Offline.

@Zoey2936
Copy link
Member

Zoey2936 commented Aug 8, 2024

what is written in your log?

@Matthias-vdE
Copy link

Matthias-vdE commented Aug 8, 2024
edited
Loading

The docker logs say this when I apply the Advanced Configuration

[Nginx    ] › ⬤  debug     Deleting file: /data/nginx/proxy_host/10.conf
[Nginx    ] › ⬤  debug     Deleting file: /data/nginx/proxy_host/10.conf
[Nginx    ] › ⬤  debug     Could not delete file: {
  "errno": -2,
  "code": "ENOENT",
  "syscall": "unlink",
  "path": "/data/nginx/proxy_host/10.conf"
}
[Nginx    ] › ⬤  debug     Deleting file: /data/nginx/proxy_host/10.conf.err
[Nginx    ] › ⬤  debug     Could not delete file: {
  "errno": -2,
  "code": "ENOENT",
  "syscall": "unlink",
  "path": "/data/nginx/proxy_host/10.conf.err"
}
[Nginx    ] › ℹ  info      Reloading Nginx
2024/08/08 21:21:30 [warn] 1023#1023: "ssl_stapling" ignored, issuer certificate not found for certificate "/data/tls/dummycert.pem"
2024/08/08 21:21:30 [warn] 1023#1023: "ssl_stapling" ignored, issuer certificate not found for certificate "/data/tls/dummycert.pem"
2024/08/08 21:21:30 [warn] 1023#1023: "ssl_stapling" ignored, issuer certificate not found for certificate "/data/tls/dummycert.pem"
2024/08/08 21:21:30 [warn] 1023#1023: "ssl_stapling" ignored, issuer certificate not found for certificate "/data/tls/dummycert.pem"
2024/08/08 21:21:30 [warn] 1023#1023: "ssl_stapling" ignored, issuer certificate not found for certificate "/data/tls/dummycert.pem"
2024/08/08 21:21:30 [warn] 1023#1023: "ssl_stapling" ignored, issuer certificate not found for certificate "/data/tls/dummycert.pem"
2024/08/08 21:21:30 [warn] 1023#1023: deleting socket /run/nginx-10.sock

Then the host is marked "Offline" in the UI.

When I remove the configuration again:

[Nginx    ] › ⬤  debug     Deleting file: /data/nginx/proxy_host/10.conf
[Nginx    ] › ⬤  debug     Could not delete file: {
  "errno": -2,
  "code": "ENOENT",
  "syscall": "unlink",
  "path": "/data/nginx/proxy_host/10.conf"
}
[Nginx    ] › ℹ  info      Reloading Nginx
2024/08/08 21:23:41 [warn] 1023#1023: "ssl_stapling" ignored, issuer certificate not found for certificate "/data/tls/dummycert.pem"
2024/08/08 21:23:41 [warn] 1023#1023: "ssl_stapling" ignored, issuer certificate not found for certificate "/data/tls/dummycert.pem"
2024/08/08 21:23:41 [warn] 1023#1023: "ssl_stapling" ignored, issuer certificate not found for certificate "/data/tls/dummycert.pem"
2024/08/08 21:23:41 [warn] 1023#1023: "ssl_stapling" ignored, issuer certificate not found for certificate "/data/tls/dummycert.pem"
2024/08/08 21:23:41 [warn] 1023#1023: "ssl_stapling" ignored, issuer certificate not found for certificate "/data/tls/dummycert.pem"
2024/08/08 21:23:41 [warn] 1023#1023: "ssl_stapling" ignored, issuer certificate not found for certificate "/data/tls/dummycert.pem"

And the status goes back to Online. This is the same for every host.

The container is running as root and does have rights to create/delete files:

-------------------------------------
 _ _  ___  __ __       _
| \ || . \|  \  \ ___ | | _ _  ___
|   ||  _/|     || . \| || | |[_-[
|_\_||_|  |_|_|_||  _/|_| \__|/__/
                 |_|
-------------------------------------
Version:  2.11.3+dbb0883
Date:     Thu Aug  8 17:57:28 CEST 2024
User:     root
PUID:     0
User ID:  0
PGID:     0
Group ID: 0
-------------------------------------

@Zoey2936
Copy link
Member

Zoey2936 commented Aug 8, 2024

I think you need to put geoip2 and map into the cusatom/http_root file

@Matthias-vdE
Copy link

Matthias-vdE commented Aug 8, 2024
edited
Loading

I think you need to put geoip2 and map into the cusatom/http_root file

I think that was it! Placing the following in the custom/http_top.conf file:


geoip2 /data/etc/goaccess/geoip/GeoLite2-Country.mmdb {
    auto_reload 60m;
    $geoip2_data_country_code default=ZZ country iso_code;
}

map $geoip2_data_country_code $allowed_country {
    default no;
    BE yes;
}

And then placing the if statement in the Advanced Configuration. Or even better, in the server_proxy.conf file so it applies automatically to all hosts:

if ($allowed_country = no) {
    return 444;
}

Seems to have done the trick... I am now seeing HTTP 444 in the access log after starting a VPN to Germany or France:

[08/Aug/2024:21:33:16 +0200] HOSTNAME PROXYIP 0.000 "GET / HTTP/2.0" 444 0 0

Many thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Zoey2936 Zoey2936

Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Revan335 @Matthias-vdE @viriatusX @Zoey2936