nginx 基于 geoip 模块限制地区访问

1、安装 geoip 库

[root@VM-0-15-centos ~]# yum -y install geoip geoip-devel

 2、下载并安装 MaxMind 的免费 GeoIP 数据库。这里我选择下载 GeoLite2 数据库，适用于大多数应用。

访问 maxmind 官网（https://www.maxmind.com/），注册一个账号

有两种下载方法

• 方法一：使用wget命令下载（<your_license_key>换成自己注册账号的许可密码）

wget https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=<your_license_key>&suffix=tar.gz

•  方法二：在官网直接下载，再上传到服务器（这里我用的方法二）

下载好之后上传到服务器的 /opt 目录

[root@VM-0-15-centos opt]# ls
GeoLite2-Country_20241129.tar.gz  rh

3、解压数据库文件

[root@VM-0-15-centos opt]# tar xf GeoLite2-Country_20241129.tar.gz -C /usr/share/GeoIP/

 4、安装nginx，下载依赖包

[root@VM-0-15-centos opt]# yum -y install make zlib zlib-devel gcc-c++ libtool  openssl openssl-devel pcre pcre-devel

5、创建 nginx 运行用户

[root@VM-0-15-centos opt]# useradd nginx -s /sbin/nologin -M

6、上传nginx源码文件到 /opt 目录，并解压编译

[root@VM-0-15-centos nginx-1.26.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-pcre --with-http_v2_module --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module  --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-threads --with-stream --with-stream_ssl_module --with-http_geoip_module
[root@VM-0-15-centos nginx-1.26.2]# make && make install

7、创建软连接

[root@VM-0-15-centos nginx-1.26.2]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/nginx

8、检查 nginx 已经启用 geoip 模块

[root@VM-0-15-centos nginx-1.26.2]# nginx -V 2>&1 | grep geoip

 9、确保数据库文件存在，确保你下载的数据库文件 GeoLite2-Country.mmdb 正确放置在 /usr/share/GeoIP 目录下，并且该目录对 Nginx 有读取权限。

[root@VM-0-15-centos ~]# find / -name GeoLite2-Country.mmdb
/usr/share/GeoIP/GeoLite2-Country_20241129/GeoLite2-Country.mmdb

10、启动 nginx 并且访问

[root@VM-0-15-centos ~]# /usr/local/nginx/sbin/nginx 
[root@VM-0-15-centos ~]# ps -aux | grep nginx
root     18577  0.0  0.0  48636  1212 ?        Ss   18:10   0:00 nginx: master process /usr/local/nginx/sbin/nginx
nginx    18578  0.0  0.1  51112  2048 ?        S    18:10   0:00 nginx: worker process
root     18634  0.0  0.0 112812   972 pts/0    S+   18:10   0:00 grep --color=auto nginx

可以看到，目前没有做地区限制，nginx是可以访问状态

接下来我们限制 中国、香港、澳门三个地区的访问

11、编辑 nginx 配置文件，分别在 http 模块和 server 模块里面添加以下内容

[root@VM-0-15-centos ~]# vim /usr/local/nginx/conf/nginx.conf
http {
    geoip_country /usr/share/GeoIP/GeoLite2-Country_20241129/GeoLite2-Country.mmdb;
    map $geoip_country_code $block_country {
        default 0;
        CN 1;
        HK 1;
        MO 1;
    }
}

server {
        listen       80;
        server_name  localhost;

        location / {
            if ($block_country) {
               return 403;
            }
            root   html;
            index  index.html index.htm;
        }
}

12、检查配置文件

[root@VM-0-15-centos ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

13、重启 nginx

[root@VM-0-15-centos ~]# killall nginx
[root@VM-0-15-centos ~]# /usr/local/nginx/sbin/nginx 

14、访问测试

可以看到，已经无法访问了

15、添加 nginx 到系统服务

[root@VM-0-15-centos ~]# vim /etc/systemd/system/nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=network.target

[Service]
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit
PrivateTmp=true

[Install]
WantedBy=multi-user.target

重新加载 systemd 管理器 ，并启动设置开机自启

[root@VM-0-15-centos ~]# systemctl daemon-reload
[root@VM-0-15-centos ~]# systemctl enable --now nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /etc/systemd/system/nginx.service.
[root@VM-0-15-centos ~]# systemctl status nginx
● nginx.service - The NGINX HTTP and reverse proxy server
   Loaded: loaded (/etc/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2024-12-29 18:29:09 CST; 4s ago
 Main PID: 22495 (nginx)
   CGroup: /system.slice/nginx.service
           ‣ 22495 nginx: master process /usr/local/nginx/sbin/nginx

Dec 29 18:29:09 VM-0-15-centos systemd[1]: Started The NGINX HTTP and reverse proxy server.
Dec 29 18:29:09 VM-0-15-centos nginx[25153]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 29 18:29:10 VM-0-15-centos nginx[25153]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 29 18:29:10 VM-0-15-centos nginx[25153]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 29 18:29:11 VM-0-15-centos nginx[25153]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 29 18:29:11 VM-0-15-centos nginx[25153]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 29 18:29:12 VM-0-15-centos nginx[25153]: nginx: [emerg] still could not bind()