ScaleScaleScaleScale

Tips / Nginx


How to block a Country using Nginx

Days ago I had to block an entire country from one particular website. The problem was continuous attacks to one website that was hosted on the box. There are two ways to block a country, one I mentioned in an old post: Block a Country using CSF Firewall which works pretty well. However, this firewall block works at server level, and if you have multiple websites all your websites will block the traffic, which is not what I wanted this time.

This time I wanted to block an entire country from one single website, and the best way to do it was using allow/deny options inside the virtual host configuration.  Blocking a country using Nginx is pretty easy, see the example below:

Go to http://www.incredibill.me/htaccess-block-country-ips, select your country , click on Generate .htaccess code, and you will get many lines like these:

# BLOCK COUNTRY BY IP RANGE
# IncrediBILL's HTACCESS Tools
# http://incredibill.me

order allow,deny
#
# Block from ALBANIA (AL)
#
deny from 31.22.48.0/20
deny from 31.44.64.0/20
deny from 31.171.152.0/21
deny from 31.222.40.0/21

The ones that we only need to care about are the ones starting with “deny from…”

Pick up all those deny lines, delete all the “from” words you get, and add “;” to the end of each line, so, all lines should be like this:

deny 31.22.48.0/20;
deny 31.44.64.0/20;
deny 31.171.152.0/21;
deny 31.222.40.0/21;

At the end of all the deny lines, add this:

allow all;

So, it should look like this:

deny 31.22.48.0/20;
deny 31.44.64.0/20;
deny 31.171.152.0/21;
deny 31.222.40.0/21;
allow all;

Now let’s add those nasty IPs to Nginx:

nano -w /etc/nginx/block-country.conf

Now edit your virtual host configuration, and include that block configuration into a location block, example:

        location / {
            root   /var/www/yoursite.com;
            index  index.php;

include /etc/nginx/block-country.conf;
        }

As you see, we used the include function to insert the allow/deny configuration into our virtual host config.

Alright, now reload Nginx to apply the changes:

service nginx reload

Testing Nginx Country Block

Use a proxy from your blocked country and if your block configuration is working fine, you shouldn’t be able to see your website.

Popular search terms:

  • nginx country blocking
  • nginx ban country
  • blockacountry
  • nginx block country
profile

Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking

  • fdf

    i have nginx in windows 8 machine,Now how can i create and configure ssl certificate for nginx in windows

  • ben

    Hi…I thing you are wrong with this:

    So, it should look like this:

    deny 31.22.48.0/20;
    deny 31.44.64.0/20;
    deny 31.171.152.0/21;
    deny 31.222.40.0/21;
    allow all;

    The way it should look like:
    allow all;
    deny 31.22.48.0/20;
    deny 31.44.64.0/20;
    deny 31.171.152.0/21;
    deny 31.222.40.0/21;

  • I think that it is a really bad idea to block a whole country from access to a web server. You should explore ways to fine tune the blocking based on how they abuse your site I think. For example: rate limits on page reloads And publishing a guide like this means that many other server admins will blindly copy your idea.