I want to use maxmind geoip code to restrict one website

Hi All,
I want to use /usr/share/GeoIP/GeoLite2-Coutnry.mmdb in apache2.conf to allow only one county to access one website. /home/username/conf/web/mydomain.net/apache2.conf
I did all things like
loading maxmind mod apachectl -M | grep maxmind
edited apache2.conf

everything is done but . getenv(‘MM_COUNTRY_CODE’). is not populating.

please do the needful
thank you

Hi @annlabs

How did you install the module? Did you compile it? Is the module loaded? Did you install the maxmind library? How did you configure apache? What’s the entire code you are using to test it?

Module is installed correctly thats why this mmddblookup works

root@annlabs:/# mmdblookup --file /usr/share/GeoIP/GeoLite2-Country.mmdb --ip 8.8.8.8

  {
    "continent": 
      {
        "code": 
          "NA" <utf8_string>
        "geoname_id": 
          6255149 <uint32>
        "names": 
          {
            "de": 
              "Nordamerika" <utf8_string>
            "en": 
              "North America" <utf8_string>
            "es": 
              "Norteamérica" <utf8_string>
            "fr": 
              "Amérique du Nord" <utf8_string>
            "ja": 
              "北アメリカ" <utf8_string>
            "pt-BR": 
              "América do Norte" <utf8_string>
            "ru": 
              "Северная Америка" <utf8_string>
            "zh-CN": 
              "北美洲" <utf8_string>
          }
      }
    "country": 
      {
        "geoname_id": 
          6252001 <uint32>
        "iso_code": 
          "US" <utf8_string>
        "names": 
          {
            "de": 
              "USA" <utf8_string>
            "en": 
              "United States" <utf8_string>
            "es": 
              "Estados Unidos" <utf8_string>
            "fr": 
              "États Unis" <utf8_string>
            "ja": 
              "アメリカ" <utf8_string>
            "pt-BR": 
              "EUA" <utf8_string>
            "ru": 
              "США" <utf8_string>
            "zh-CN": 
              "美国" <utf8_string>
          }
      }
    "registered_country": 
      {
        "geoname_id": 
          6252001 <uint32>
        "iso_code": 
          "US" <utf8_string>
        "names": 
          {
            "de": 
              "USA" <utf8_string>
            "en": 
              "United States" <utf8_string>
            "es": 
              "Estados Unidos" <utf8_string>
            "fr": 
              "États Unis" <utf8_string>
            "ja": 
              "アメリカ" <utf8_string>
            "pt-BR": 
              "EUA" <utf8_string>
            "ru": 
              "США" <utf8_string>
            "zh-CN": 
              "美国" <utf8_string>
          }
      }
  }

root@annlabs:/#

then i edited /home/annlabs/conf/web/anushaktinagar.net/apache2.conf
added these two line

    IncludeOptional /etc/apache2/conf-available/maxminddb.conf
    IncludeOptional /etc/apache2/conf-avaliable/remoteip.conf

maxminddb.conf has

  GNU nano 7.2       /etc/apache2/conf-available/maxminddb.conf                 
MaxMindDBEnable On
MaxMindDBFile COUNTRY_DB /usr/share/GeoIP/GeoLite2-Country.mmdb
MaxMindDBEnv MM_COUNTRY_CODE COUNTRY_DB/country/iso_code

<Directory /home/annlabs/web/anushaktinagar.net/public_html>
    SetEnvIf MM_COUNTRY_CODE ^(CA|US) AllowCountry
    <RequireAll>
        Require env MM_COUNTRY_CODE
        Require env AllowCountry
    </RequireAll>
</Directory>

remoteip.conf

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 127.0.0.1 ::1 103.194.228.97

but MM_COUNTRY_CODE is populating

mmdblookup is part of the mmdb-bin package and has nothing to do with the maxmind Apache module.

Again, how did you install the module, the library, etc.?

I followed the instaructions here

I don’t use Apache, so I’ll need to set up a VM to test it. If I get the time, I’ll do it this weekend. What OS are you using?

ubuntu 24.04
Linux server

I’ve tested it and it works fine, I’m documenting the exact steps I followed and the Hestia templates I’ve used for Apache.

1.- Install apache2-dev (required to compile maxmind module) and create the work dir:

apt install apache2-dev -y
mkdir -p /usr/local/src/maxmind

2.- Download, compile and install library libmaxminddb

cd /usr/local/src/maxmind
curl -fsSLm15 "$(curl -fsSLm15 "https://api.github.com/repos/maxmind/libmaxminddb/releases/latest"| jq -r '.assets[]|.browser_download_url')" -O
tar xf libmaxminddb-1.12.2.tar.gz
cd libmaxminddb-1.12.2
./configure
make
make check
sudo make install
sudo ldconfig

3.- Download, compile and install module maxminddb:

cd /usr/local/src/maxmind
curl -fsSLm15 "$(curl -fsSLm15 "https://api.github.com/repos/maxmind/mod_maxminddb/releases/latest"| jq -r '.assets[]|.browser_download_url')" -O
tar xf mod_maxminddb-1.3.0.tar.gz
cd mod_maxminddb-1.3.0
./configure
sudo make install

4.- Download GeoLite2 Country DB (you must create a maxmind account and inside the account a license key).

Note: replace HereTheAccountID and HereTheLicenseKey with the actual data.

mkdir -p /usr/local/share/GeoIP/
cd /usr/local/share/GeoIP/
curl -fsSLm15 -u HereTheAccountID:HereTheLicenseKey "https://download.maxmind.com/geoip/databases/GeoLite2-Country/download?suffix=tar.gz" -o GeoLite2-Country.tar.gz
tar --wildcards --strip-components=1 -xf GeoLite2-Country.tar.gz '*.mmdb'

5.- Restart Apache and check whether the module is loaded:

systemctl restart apache2
#Below command must show this:  maxminddb_module (shared)
apache2ctl -M | grep max

6.- Create the Apache templates.

6.1.- Example of templates that will only ALLOW requests from these countries; Spain (ES) and Portugal (PT)

Create those templates inside dir /usr/local/hestia/data/templates/web/apache2/php-fpm/

I’m basically adding this block inside directives: <Directory %docroot%> and <Directory %sdocroot%>:

Note: replace (ES|PT) with the iso code for countries you want to allow; (ES|PT|DE) , (ES) if you only want to allow one country, etc.

        <IfModule mod_maxminddb.c>
            MaxMindDBEnable On
            MaxMindDBFile COUNTRY_DB /usr/local/share/GeoIP/GeoLite2-Country.mmdb
            MaxMindDBEnv MM_COUNTRY_CODE COUNTRY_DB/country/iso_code

            SetEnvIf MM_COUNTRY_CODE ^(ES|PT) AllowCountry

            <RequireAll>
                Require all granted
                Require env AllowCountry
            </RequireAll>
        </IfModule>

maxmind-allow.tpl

#=========================================================================#
# Default Web Domain Template                                             #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS   #
# https://hestiacp.com/docs/server-administration/web-templates.html      #
#=========================================================================#

<VirtualHost %ip%:%web_port%>

    ServerName %domain_idn%
    %alias_string%
    ServerAdmin %email%
    DocumentRoot %docroot%
    ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
    Alias /vstats/ %home%/%user%/web/%domain%/stats/
    Alias /error/ %home%/%user%/web/%domain%/document_errors/
    #SuexecUserGroup %user% %group%
    CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
    CustomLog /var/log/%web_system%/domains/%domain%.log combined
    ErrorLog /var/log/%web_system%/domains/%domain%.error.log

    IncludeOptional %home%/%user%/conf/web/%domain%/apache2.forcessl.conf*

    <Directory %home%/%user%/web/%domain%/stats>
        AllowOverride All
    </Directory>
    <Directory %docroot%>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
        <IfModule mod_maxminddb.c>
            MaxMindDBEnable On
            MaxMindDBFile COUNTRY_DB /usr/local/share/GeoIP/GeoLite2-Country.mmdb
            MaxMindDBEnv MM_COUNTRY_CODE COUNTRY_DB/country/iso_code

            SetEnvIf MM_COUNTRY_CODE ^(ES|PT) AllowCountry

            <RequireAll>
                Require all granted
                Require env AllowCountry
            </RequireAll>
        </IfModule>
    </Directory>

    <FilesMatch \.php$>
        SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

maxmind-allow.stpl

#=========================================================================#
# Default Web Domain Template                                             #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS   #
# https://hestiacp.com/docs/server-administration/web-templates.html      #
#=========================================================================#

<VirtualHost %ip%:%web_ssl_port%>

    ServerName %domain_idn%
    %alias_string%
    ServerAdmin %email%
    DocumentRoot %sdocroot%
    ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
    Alias /vstats/ %home%/%user%/web/%domain%/stats/
    Alias /error/ %home%/%user%/web/%domain%/document_errors/
    #SuexecUserGroup %user% %group%
    CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
    CustomLog /var/log/%web_system%/domains/%domain%.log combined
    ErrorLog /var/log/%web_system%/domains/%domain%.error.log
    <Directory %home%/%user%/web/%domain%/stats>
        AllowOverride All
    </Directory>
    <Directory %sdocroot%>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
        <IfModule mod_maxminddb.c>
            MaxMindDBEnable On
            MaxMindDBFile COUNTRY_DB /usr/local/share/GeoIP/GeoLite2-Country.mmdb
            MaxMindDBEnv MM_COUNTRY_CODE COUNTRY_DB/country/iso_code

            SetEnvIf MM_COUNTRY_CODE ^(ES|PT) AllowCountry

            <RequireAll>
                Require all granted
                Require env AllowCountry
            </RequireAll>
        </IfModule>
    </Directory>
    SSLEngine on
    SSLVerifyClient none
    SSLCertificateFile %ssl_crt%
    SSLCertificateKeyFile %ssl_key%
    %ssl_ca_str%SSLCertificateChainFile %ssl_ca%

    <FilesMatch \.php$>
        SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

6.2.- Example of templates that will only BLOCK requests from these countries; Spain (ES) and Portugal (PT)

I’m basically adding this block inside directives: <Directory %docroot%> and <Directory %sdocroot%>:

Note: replace (ES|PT) with the iso code for countries you want to block; (ES|PT|DE) , (ES) if you only want to block one country, etc.

        <IfModule mod_maxminddb.c>
            MaxMindDBEnable On
            MaxMindDBFile COUNTRY_DB /usr/local/share/GeoIP/GeoLite2-Country.mmdb
            MaxMindDBEnv MM_COUNTRY_CODE COUNTRY_DB/country/iso_code

            SetEnvIf MM_COUNTRY_CODE ^(ES|PT) BlockCountry

            <RequireAll>
                Require all granted
                Require not env BlockCountry
            </RequireAll>
        </IfModule>

maxmind-block.tpl

#=========================================================================#
# Default Web Domain Template                                             #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS   #
# https://hestiacp.com/docs/server-administration/web-templates.html      #
#=========================================================================#

<VirtualHost %ip%:%web_port%>

    ServerName %domain_idn%
    %alias_string%
    ServerAdmin %email%
    DocumentRoot %docroot%
    ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
    Alias /vstats/ %home%/%user%/web/%domain%/stats/
    Alias /error/ %home%/%user%/web/%domain%/document_errors/
    #SuexecUserGroup %user% %group%
    CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
    CustomLog /var/log/%web_system%/domains/%domain%.log combined
    ErrorLog /var/log/%web_system%/domains/%domain%.error.log

    IncludeOptional %home%/%user%/conf/web/%domain%/apache2.forcessl.conf*

    <Directory %home%/%user%/web/%domain%/stats>
        AllowOverride All
    </Directory>
    <Directory %docroot%>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
        <IfModule mod_maxminddb.c>
            MaxMindDBEnable On
            MaxMindDBFile COUNTRY_DB /usr/local/share/GeoIP/GeoLite2-Country.mmdb
            MaxMindDBEnv MM_COUNTRY_CODE COUNTRY_DB/country/iso_code

            SetEnvIf MM_COUNTRY_CODE ^(ES|PT) BlockCountry

            <RequireAll>
                Require all granted
                Require not env BlockCountry
            </RequireAll>
        </IfModule>
    </Directory>

    <FilesMatch \.php$>
        SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

maxmind-block.stpl

#=========================================================================#
# Default Web Domain Template                                             #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS   #
# https://hestiacp.com/docs/server-administration/web-templates.html      #
#=========================================================================#

<VirtualHost %ip%:%web_ssl_port%>

    ServerName %domain_idn%
    %alias_string%
    ServerAdmin %email%
    DocumentRoot %sdocroot%
    ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
    Alias /vstats/ %home%/%user%/web/%domain%/stats/
    Alias /error/ %home%/%user%/web/%domain%/document_errors/
    #SuexecUserGroup %user% %group%
    CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
    CustomLog /var/log/%web_system%/domains/%domain%.log combined
    ErrorLog /var/log/%web_system%/domains/%domain%.error.log
    <Directory %home%/%user%/web/%domain%/stats>
        AllowOverride All
    </Directory>
    <Directory %sdocroot%>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
        <IfModule mod_maxminddb.c>
            MaxMindDBEnable On
            MaxMindDBFile COUNTRY_DB /usr/local/share/GeoIP/GeoLite2-Country.mmdb
            MaxMindDBEnv MM_COUNTRY_CODE COUNTRY_DB/country/iso_code

            SetEnvIf MM_COUNTRY_CODE ^(ES|PT) BlockCountry

            <RequireAll>
                Require all granted
                Require not env BlockCountry
            </RequireAll>
        </IfModule>
    </Directory>
    SSLEngine on
    SSLVerifyClient none
    SSLCertificateFile %ssl_crt%
    SSLCertificateKeyFile %ssl_key%
    %ssl_ca_str%SSLCertificateChainFile %ssl_ca%

    <FilesMatch \.php$>
        SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

7.- Now edit your web domain and change the backend template of your domain by one of these new maxmind templates.

TIP
You should install geoipupdate utility and create a cron job to update every x days the maxmind DB.

5 Likes

You’re doing an amazing job! It’s impressive how much time you’re dedicating to this.

Just a quick note: keep in mind that the Lite version might sometimes lag behind.
In a past professional context, we once tested the MaxMind Lite database and noticed that a certain IP address couldn’t access the network. It turned out that the IP was still listed as being in Sweden, even though it had already been reassigned to a German user.

I’m not sure how often this happens, but it’s something to be aware of.
If access issues occur, checking the GeoIP database and updating it or reporting incorrect entries can often resolve the problem.

2 Likes

Thanks so much for your kind words.

Keep in mind that we are not using their API to make the requests, we are making requests to the local database that we have already downloaded.

mkdir -p /usr/local/share/GeoIP/
cd /usr/local/share/GeoIP/
curl -fsSLm15 -u HereTheAccountID:HereTheLicenseKey "https://download.maxmind.com/geoip/databases/GeoLite2-Country/download?suffix=tar.gz" -o GeoLite2-Country.tar.gz
tar --wildcards --strip-components=1 -xf GeoLite2-Country.tar.gz '*.mmdb'
3 Likes

I did all as u documented. Now env is populating the country. I changed the country to US and loaded the site from INDIA, theoretically it should block the access and show 403 page. But site was loading. I feel apache is seeing the server ip address only.

Did you restart/reload apache when doing the changes?

Show the output of these commands (replace YourUser and YourDomain with the actual user and domain):

cat /home/YourUser/conf/web/YourDomain/nginx.conf  
cat /home/YourUser/conf/web/YourDomain/nginx.ssl.conf

Could you please share your domain so I can test it (you can send me a private message if you don’t want to share it publicly)?

1 Like

I send you a personal message. Please see it

1 Like