{"id":3508,"date":"2018-09-02T16:25:17","date_gmt":"2018-09-02T21:25:17","guid":{"rendered":"https:\/\/dev.iachieved.it\/iachievedit\/?p=3508"},"modified":"2019-02-16T13:59:18","modified_gmt":"2019-02-16T19:59:18","slug":"geoip2-and-nginx","status":"publish","type":"post","link":"https:\/\/dev.iachieved.it\/iachievedit\/geoip2-and-nginx\/","title":{"rendered":"GeoIP2 and NGINX"},"content":{"rendered":"

There are times when you want to configure your website to explicitly disallow access from certain countries, or only allow access from a given set of countries. While not completely precise, use of the MaxMind<\/a> GeoIP databases to look up a web client’s country-of-origin and have the web server respond accordingly is a popular technique.<\/p>\n

There are a number of NGINX<\/a> tutorials on how to use the legacy GeoIP database<\/a> and the ngx_http_geoip_module<\/a>, and as it happens the default Ubuntu nginx<\/code> package includes the ngx_http_geoip_module<\/code>. Unfortunately the GeoIP databases will no longer be updated, and MaxMind has migrated to GeoIP2<\/a>. Moreover, after January 2, 2019, the GeoIP databases will no longer be available<\/a>.<\/p>\n

This leaves us in a bind. Luckily, while the Ubuntu distribution of NGINX doesn’t come with GeoIP2 support, we can add it by building from source. Which is exactly what we’ll do! In this tutorial we’re going to build nginx<\/code> from the ground up, modeling its configuration options after those that are used by the canonical nginx<\/code> packages available from Ubuntu 16.04. You’ll want to go through this tutorial on a fresh installation of Ubuntu 16.04 or later; we’ll be using an EC2 instance created from the AWS Quick Start Ubuntu Server 16.04 LTS (HVM), SSD Volume Type<\/em> AMI.<\/p>\n

If you’re a fan of NGINX and hosting secure webservers, check out our latest post on configuring NGINX with support for TLS 1.3<\/a><\/p><\/blockquote>\n

Getting Started<\/h2>\n

Since we’re going to be building binaries, we’ll need the build-essential<\/code> package which is a metapackage that installs applications such as make<\/code>, gcc<\/code>, etc.<\/p>\n

\nsudo apt-get update\nsudo apt-get install -y build-essential\n<\/pre>\n
Now, to install all of the prerequisities libraries we’ll need to compile NGINX:<\/p>\n
\nsudo apt-get install -y libpcre3-dev zlib1g-dev libssl-dev libxslt1-dev\n<\/pre>\n
Using the GeoIP2 database with NGINX requires the ngx_http_geoip2_module<\/a> and requires the MaxMind development packages from MaxMind:<\/p>\n
\nsudo add-apt-repository -y ppa:maxmind\/ppa\nsudo apt-get update\nsudo apt-get install -y libmaxminddb-dev\n<\/pre>\n
Getting the Sources<\/h2>\n
Now let’s go and download NGINX.  We’ll be using the latest dot-release of the 1.15 series, 1.15.3.  I prefer to compile things in \/usr\/local\/src<\/code>, so:<\/p>\n
\ncd \/usr\/local\/src\/\nsudo wget https:\/\/nginx.org\/download\/nginx-1.15.3.tar.gz\nsudo tar -xzvf nginx-1.15.3.tar.gz\n<\/pre>\n
We also need the source for the GeoIP2 NGINX module:<\/p>\n
\nsudo wget https:\/\/github.com\/leev\/ngx_http_geoip2_module\/archive\/3.0.tar.gz\nsudo tar -xzvf 3.0.tar.gz\n<\/pre>\n
Now, to configure and compile.<\/p>\n
\n\ncd nginx-1.15.3\nsudo .\/configure \\\n--with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \\\n--with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -fPIC' \\\n--prefix=\/usr\/share\/nginx                 \\\n--conf-path=\/etc\/nginx\/nginx.conf         \\\n--http-log-path=\/var\/log\/nginx\/access.log \\\n--error-log-path=\/var\/log\/nginx\/error.log \\\n--lock-path=\/var\/lock\/nginx.lock          \\\n--pid-path=\/run\/nginx.pid                 \\\n--modules-path=\/usr\/lib\/nginx\/modules     \\\n--http-client-body-temp-path=\/var\/lib\/nginx\/body \\\n--http-fastcgi-temp-path=\/var\/lib\/nginx\/fastcgi  \\\n--http-proxy-temp-path=\/var\/lib\/nginx\/proxy      \\\n--http-scgi-temp-path=\/var\/lib\/nginx\/scgi        \\\n--http-uwsgi-temp-path=\/var\/lib\/nginx\/uwsgi      \\\n--with-debug                     \\\n--with-pcre-jit                  \\\n--with-http_ssl_module           \\\n--with-http_stub_status_module   \\\n--with-http_realip_module        \\\n--with-http_auth_request_module  \\\n--with-http_v2_module            \\\n--with-http_dav_module           \\\n--with-http_slice_module         \\\n--with-threads                   \\\n--with-http_addition_module      \\\n--with-http_gunzip_module        \\\n--with-http_gzip_static_module   \\\n--with-http_sub_module           \\\n--with-http_xslt_module=dynamic  \\\n--with-stream=dynamic            \\\n--with-stream_ssl_module         \\\n--with-stream_ssl_preread_module \\\n--with-mail=dynamic              \\\n--with-mail_ssl_module           \\\n--add-dynamic-module=\/usr\/local\/src\/ngx_http_geoip2_module-3.0\n<\/pre>\n
You will want to make sure that the ngx_http_geoip2_module will be compiled, and should see nginx_geoip2_module was configured<\/code> in the end of the configure<\/code> output.<\/p>\n
\nconfiguring additional dynamic modules\nadding module in \/usr\/local\/src\/ngx_http_geoip2_module-3.0\/\nchecking for MaxmindDB library ... found\n + ngx_geoip2_module was configured\nchecking for PCRE library ... found\nchecking for PCRE JIT support ... found\nchecking for OpenSSL library ... found\nchecking for zlib library ... found\nchecking for libxslt ... found\nchecking for libexslt ... found\ncreating objs\/Makefile\n\nConfiguration summary\n  + using threads\n  + using system PCRE library\n  + using system OpenSSL library\n  + using system zlib library\n\n  nginx path prefix: \"\/usr\/share\/nginx\"\n  nginx binary file: \"\/usr\/share\/nginx\/sbin\/nginx\"\n  nginx modules path: \"\/usr\/lib\/nginx\/modules\"\n  nginx configuration prefix: \"\/etc\/nginx\"\n  nginx configuration file: \"\/etc\/nginx\/nginx.conf\"\n  nginx pid file: \"\/run\/nginx.pid\"\n  nginx error log file: \"\/var\/log\/nginx\/error.log\"\n  nginx http access log file: \"\/var\/log\/nginx\/access.log\"\n  nginx http client request body temporary files: \"\/var\/lib\/nginx\/body\"\n  nginx http proxy temporary files: \"\/var\/lib\/nginx\/proxy\"\n  nginx http fastcgi temporary files: \"\/var\/lib\/nginx\/fastcgi\"\n  nginx http uwsgi temporary files: \"\/var\/lib\/nginx\/uwsgi\"\n  nginx http scgi temporary files: \"\/var\/lib\/nginx\/scgi\"\n<\/pre>\n
Now, run sudo make<\/code>.  NGINX, for all its power, is a compact and light application, and compiles in under a minute.  If everything compiles properly, you can run sudo make install<\/code>.<\/p>\n
A few last things to complete our installation:<\/p>\n