Country-Level Blocking With MaxMind

To block users in selected countries from accessing your websites, we recommend using MaxMind. MaxMind services use IP addresses to identify a user’s country, and you can write rules to block specific countries.

Note

MaxMind has two database options. The GeoLite2 Country database is free, while the GeoIP database is more thorough and can enable more accurate blocking. This article assumes that you’ll start with GeoLite2, and decide whether to upgrade later. Whichever database you use, we can’t guarantee 100% accuracy because we don’t control the data - MaxMind does.

Start by downloading the GeoLite2 Country MaxMind Database in .mmdb format from MaxMind.

Place the file in a location inside your container, for example /container/application/GeoLite2-Country.mmdb. Now you’re ready to enable and set up the configuration files.

Configuring MaxMind and Blocking Countries

The exact process differs according to the image that your container is running. Below, this document takes you through the steps for Apache and Nginx.

• Before you begin: Find the ISO codes of relevant countries in this GeoNames table.
• Once you’re done: Test that your country blocking works as intended by visiting your site from a service that lets you imitate traffics from different locations, like ProxySite or Geo Targetly.

Apache

Create a symlink of the MaxMind conf file and load files to the mods-enabled folder:

cd /container/config/apache2/mods-enabled
ln -s ../mods-available/maxminddb.conf .
ln -s ../mods-available/maxminddb.load .

To block specific countries, add rules to the container’s .htaccess file. Model them on this example code:

<IfModule mod_maxminddb.c>
MaxMindDBEnable On
MaxMindDBFile COUNTRY_DB /container/application/GeoLite2-Country.mmdb

MaxMindDBEnv COUNTRY_CODE COUNTRY_DB/country/iso_code

SetEnvIf COUNTRY_CODE ^(RU|DE|US) BlockCountry
Deny from env=BlockCountry
</IfModule>

Nginx

Some configuration changes are required in Nginx.

1. In /container/config/nginx/nginx.conf, load the GeoIP2 module before the events block:

   pid /run/nginx.pid;
   
   load_module modules/ngx_http_geoip2_module.so;
   
   events {

2. Pass the MaxMind database to the GeoIP modul, then map the variables to allow or deny a country, using this code as an example:

   http {
       ##
       # Basic Settings
       ##
   
       geoip2 /container/application/GeoLite2-Country.mmdb {
           $geoip2_data_country_iso_code country iso_code;
       }
   
       map $geoip2_data_country_iso_code $allowed_country {
           default yes;
           DE no; # Germany
       }

3. Add an if statement to /container/config/nginx/sites-available/default to block requests from denied countries. (444 is a special code in Nginx.)

   location / {
           try_files $uri $uri/ =404;
           if ($allowed_country = no) {
               return 444;
           }
   }
   
   location ~ \.php$ {
           # Fix for HTTProxy
           fastcgi_param HTTP_PROXY "";
   
           fastcgi_pass unix:/var/run/php5-fpm.sock;
           fastcgi_index index.php;
           include fastcgi_params;
   
           if ($allowed_country = no) {
               return 444;
           }
   }

4. Reboot the container for your changes to take effect.

Because it takes configuration changes to update your list of allowed or denied countries in Nginx, you’ll need to reboot the container each time.