[TriLUG] Reverse Proxying and redirecting based on GeoIP

Cristóbal Palmer via TriLUG trilug at trilug.org
Mon Nov 30 17:10:44 EST 2020


On Mon, Nov 30, 2020 at 4:05 PM Thomas Delrue via TriLUG
<trilug at trilug.org> wrote:
>
> So this is my first blocker, is what I'm asking (i.e. turn those hard
> coded IP addresses into GeoIP countries) even doable, be it this
> suggested way or even at all? Has anyone done something like this and
> care to share their solution?

We do something like this with Apache for project Gutenberg because a
German court issued an injunction, and the path forward while that's
under appeal is to block German IP address space by redirecting all
clients from that space to a page at another domain.*

In a conf file (light edits added for brevity/clarity in this email):

-----8< snip 8<-----

# NOTE: mod_maxminddb is not available as a package for CentOS8; has
to be built from source
# Proceed with caution! (https://github.com/maxmind/mod_maxminddb)
LoadModule maxminddb_module modules/mod_maxminddb.so
<IfModule mod_maxminddb.c>
  MaxMindDBEnable On
  MaxMindDBFile DB /usr/share/GeoIP/GeoLite2-Country.mmdb
  MaxMindDBEnv MM_COUNTRY_CODE DB/country/iso_code
</IfModule>

-----8< snip 8<-----

And in another file:

-----8< snip 8<-----
# Block access to Germany.
RewriteCond %{ENV:MM_COUNTRY_CODE} ^DE$
RewriteRule ^(.*)$ http://block.pglaf.org/germany.shtml [R=307]
-----8< snip 8<-----

Clearly your RewriteCond and RewriteRule lines would be different, but
this seems close enough to your case to be helpful in moving your
forward.

> And then on top of that: am I even thinking about this properly or is
> there another solution that I'm totally missing?

Heh. If you find out, please let me know. Some cursory searching shows
blog posts like this one....

https://blog.maxmind.com/2020/03/02/using-maxmind-geoip2-databases-with-haproxy-enterprise/

... which would have you doing this in haproxy, which is probably
closer to what you want if you can't touch the httpd for either site.
Whatever you do, know that you need to implement some sort of
monitoring to guard against your geoip data being stale. One way to do
that is to use a (paid) licensed service like maxmind's, but there are
other possible approaches.

Viel Glück,
-- 
Cristóbal Palmer
cmpalmer.org

* I did not choose this "solution" and I cannot speak to its merits,
so please don't argue with me about whether this was a good idea for
our case. I merely work at the entity providing hosting and have
implemented a solution that others agreed would meet certain
requirements.


More information about the TriLUG mailing list