Hi all!
This is my first how-to, and I'll explain you how did I added the filter by GeoIP for the nginx webserver. I use this to make my nextcloud installation more secure.
I hope that you'll enjoy that, and also that I didn't made too many grammar errors, as english is not my primary language!
I have installed nginx and nextcloud in a jail following this how-to:
https://forums.freenas.org/index.php?threads/how-to-owncloud-using-nginx-php-fpm-and-mysql.17786/
but I think that it can be applyed to every nginx installation, as long as you didn't installed it as a freenas plug-in.
STEP 1 - ACCESS TO YOUR JAIL
so, SSH to you freenas, and type
STEP 2 - CHECK IF YOU ALREADY HAVE THE GeoIP nginx module
Now enter on your nextcloud machine, and check your nginx installation:
You have to find a text like --with-http_geoip_module=dynamic
If you don't have that, then your nginx is missing the module you need. As I didn't find it on the pkg repository, I have installed again nginx.
STEP 3 - INSTALL THE GeoIP PACKAGE
First, let's install the GeoIP pkg package:
STEP 4 - DOWNLOAD nginx SOURCE CODES (only if you lake of the GeoIP module from the STEP 2)
You have to download the latest version. To do that I have used wget, that is missing by default. So, let's install it with
Then, getting the url of the last version fron the nginx.org website, download it
uncompress it
and enter in the directory created
You have now to configure the source code and install it. I raccomand you to make a copy-paste of the "configure arguments:" you have obtained with the
You should be able now to make the build
and install it
you would be warned that some old files are going to be renamed. Allow that, so that if you have troubles you can come back by renaming these files to the original names.
STEP 5 - DOWNLOAD THE GeoIP DATABASES
Now we have to download the GeoIP database. Again, I didn't find it on the pkg directory, so I have downloaded it with wget:
Now we have almost done all.
STEP 6 - CHECK THAT GeoIP WORKS LOCALLY AND OBTAIN YOUR COUNTRY CODE
You can run this command to check that GeoIP is working, so that in case of troubles you know if the problem belongs to the geoip installation or to the nginx installation:configuration:
As you can see, it has correctly found that the ip passed (that is the public google DNS server 1) is located on the US.
STEP 7 - CHANGES TO nginx.conf TO ADD FILTER BY GeoIP
Let's edit the nginx.conf file, in my case
You can add on the first line (changing the path based on the locations of the nginx modules if needed)
Then, edit as follow (remember to enter in "EDIT MODE" by pressing the "INS" key on your keyboard):
you have to adjust these lines as you need, but they are pretty easy to understand.
"DE yes;" means that line means that connections from germany. IT refers to Italy. You need to change these lines as your needs.
The section about $lan tells the ip address that can allow to access to the nextcloud server from your local LAN.
When you have done, save the changes (press the "ESC" button, and then digit
STEP 8 - RESTART THE nginx SERVICE AND CHECK THAT IT WORKS
Finally we can restart the service and check that it works correctly
If your ip is of a country that is not allowed the client will receive and HTTP 403 error (that means, access denied).
Also, please note that IP address changes, so you'll have sometimes to update the db manually
COMMON TROUBLES:
this means that you have written the geoip_country directory on the wrong point of your nginx.conf file. Please find where the line with "server {" and add the lines down of it
This means that the module that enables nginx filter by geoip has not been found. The problem could be:
1. you have pointed the wrong path for the module. You can find the correct path using this command:
2. you haven't installed nginx with that module. Please check the step 2 of the tutorial
This is my first how-to, and I'll explain you how did I added the filter by GeoIP for the nginx webserver. I use this to make my nextcloud installation more secure.
I hope that you'll enjoy that, and also that I didn't made too many grammar errors, as english is not my primary language!
I have installed nginx and nextcloud in a jail following this how-to:
https://forums.freenas.org/index.php?threads/how-to-owncloud-using-nginx-php-fpm-and-mysql.17786/
but I think that it can be applyed to every nginx installation, as long as you didn't installed it as a freenas plug-in.
STEP 1 - ACCESS TO YOUR JAIL
so, SSH to you freenas, and type
Code:
[root@freenas] /# jls JID IP Address Hostname Path 7 - nextcloud /mnt/main_volume/jails/nextcloud
STEP 2 - CHECK IF YOU ALREADY HAVE THE GeoIP nginx module
Now enter on your nextcloud machine, and check your nginx installation:
Code:
root@nextcloud:/ # nginx -V nginx version: nginx/1.11.3 built by clang 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512 built with OpenSSL 1.0.2h 3 May 2016 TLS SNI support enabled configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --with-ipv6 --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_stub_status_module --with-http_sub_module --with-pcre --with-http_v2_module --with-stream=dynamic --with-stream_ssl_module --with-threads --with-mail=dynamic --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --with-http_ssl_module
You have to find a text like --with-http_geoip_module=dynamic
If you don't have that, then your nginx is missing the module you need. As I didn't find it on the pkg repository, I have installed again nginx.
STEP 3 - INSTALL THE GeoIP PACKAGE
First, let's install the GeoIP pkg package:
pkg install geoip
STEP 4 - DOWNLOAD nginx SOURCE CODES (only if you lake of the GeoIP module from the STEP 2)
You have to download the latest version. To do that I have used wget, that is missing by default. So, let's install it with
root@nextcloud: pkg install wget
Then, getting the url of the last version fron the nginx.org website, download it
wget http://nginx.org/download/nginx-1.11.3.tar.gz
uncompress it
tar -xzf nginx-1.11.3.tar.gz
and enter in the directory created
cd nginx-1.11.3
You have now to configure the source code and install it. I raccomand you to make a copy-paste of the "configure arguments:" you have obtained with the
nginx -V
command, adding at the end "--with-http_geoip_module=dynamic". In my case I would make: ./configure --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --with-ipv6 --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_stub_status_module --with-http_sub_module --with-pcre --with-http_v2_module --with-stream=dynamic --with-stream_ssl_module --with-threads --with-mail=dynamic --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --with-http_ssl_module --with-http_geoip_module=dynamic
You should be able now to make the build
make
and install it
make install clean
you would be warned that some old files are going to be renamed. Allow that, so that if you have troubles you can come back by renaming these files to the original names.
STEP 5 - DOWNLOAD THE GeoIP DATABASES
Now we have to download the GeoIP database. Again, I didn't find it on the pkg directory, so I have downloaded it with wget:
Code:
cd /usr/local/share/GeoIP/ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz gunzip GeoIP.dat.gz gunzip GeoIPASNum.dat.gz gunzip GeoLiteCity.dat.gz
Now we have almost done all.
STEP 6 - CHECK THAT GeoIP WORKS LOCALLY AND OBTAIN YOUR COUNTRY CODE
You can run this command to check that GeoIP is working, so that in case of troubles you know if the problem belongs to the geoip installation or to the nginx installation:configuration:
Code:
root@nextcloud:/ # /usr/local/bin/geoiplookup -f /usr/local/share/GeoIP/GeoLiteCity.dat 8.8.8.8 GeoIP City Edition, Rev 1: US, CA, California, Mountain View, 94035, 37.386002, -122.083801, 807, 650
As you can see, it has correctly found that the ip passed (that is the public google DNS server 1) is located on the US.
STEP 7 - CHANGES TO nginx.conf TO ADD FILTER BY GeoIP
Let's edit the nginx.conf file, in my case
vi /usr/local/etc/nginx/nginx.conf
You can add on the first line (changing the path based on the locations of the nginx modules if needed)
Code:
load_module /usr/local/libexec/nginx/ngx_http_geoip_module.so;
Then, edit as follow (remember to enter in "EDIT MODE" by pressing the "INS" key on your keyboard):
Code:
... cut ... http { geoip_country /usr/local/share/GeoIP/GeoIP.dat; map $geoip_country_code $allow_visit { default no; DE yes; IT yes; } geo $lan { default no; 192.168.1.0/24 yes; } ... cut ... server { if ($lan = yes) { set $allow_visit yes; } if ($allow_visit = no) { return 403; } ... cut ...
you have to adjust these lines as you need, but they are pretty easy to understand.
"DE yes;" means that line means that connections from germany. IT refers to Italy. You need to change these lines as your needs.
The section about $lan tells the ip address that can allow to access to the nextcloud server from your local LAN.
When you have done, save the changes (press the "ESC" button, and then digit
:w
and press enter to save. Then :q
to quit).STEP 8 - RESTART THE nginx SERVICE AND CHECK THAT IT WORKS
Finally we can restart the service and check that it works correctly
root@nextcloud:/ # service nginx restart
If your ip is of a country that is not allowed the client will receive and HTTP 403 error (that means, access denied).
Also, please note that IP address changes, so you'll have sometimes to update the db manually
COMMON TROUBLES:
Code:
root@nextcloud:~/nginx-1.11.3 # service nginx start Performing sanity check on nginx configuration: nginx: [emerg] "geoip_country" directive is not allowed here in /usr/local/etc/nginx/nginx.conf:23 nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
this means that you have written the geoip_country directory on the wrong point of your nginx.conf file. Please find where the line with "server {" and add the lines down of it
Code:
root@nextcloud:/ # service nginx restart Performing sanity check on nginx configuration: nginx: [emerg] dlopen() "/usr/local/libexec/nginx/ngx_http_geoip_module.so" failed (Cannot open "/usr/local/libexec/nginx/ngx_http_geoip_module.so") in /usr/local/etc/nginx/nginx.conf:4 nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
This means that the module that enables nginx filter by geoip has not been found. The problem could be:
1. you have pointed the wrong path for the module. You can find the correct path using this command:
Code:
root@nextcloud:/ # find / -name ngx_http_geoip_module.so /usr/local/libexec/nginx/ngx_http_geoip_module.so
2. you haven't installed nginx with that module. Please check the step 2 of the tutorial
Last edited by a moderator: