基于Debian的Nginx GeoIP2实践
Youtube视频
相关链接
编译安装Nginx
编译环境依赖
apt -y install wget zip unzip gcc g++ make libpcre3 libpcre3-dev openssl libssl-dev zlib1g-dev libperl-dev libgd-dev libxml2 libxml2-dev libxslt-dev libmaxminddb-dev libgeoip-dev下载解压源码
wget -O /opt/nginx.tar.gz http://nginx.org/download/nginx-1.25.3.tar.gz
wget -O /opt/geoip2.zip https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/3.4.zip
mkdir -p /opt/nginx
tar -zxf /opt/nginx.tar.gz -C /opt/nginx --strip-components=1
unzip -jq /opt/geoip2.zip -d /opt/nginx/geoip2
mkdir /etc/nginx
mkdir -p /var/cache/nginx
sudo useradd -s /sbin/nologin -M nginxNginx编译配置
cd /opt/nginx
./configure \
--prefix=/usr/local/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--user=nginx \
--group=nginx \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--with-file-aio \
--with-threads \
--with-compat \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module=dynamic \
--with-stream_ssl_preread_module \
--add-module=/opt/nginx/geoip2 \
--with-debugcat auto/options | grep YES编译安装
# 单线程编译安装
make && make install
# 多线程编译安装
make -j3 && make installsystemd服务配置
cat <<EOF> /etc/systemd/system/nginx.service
[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStartPost=/usr/bin/sleep 0.5
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target
EOFsudo systemctl daemon-reload
sudo systemctl enable nginx.service --nowGeoIP配置
下载Maxmind Geo数据库
修改Nginx配置
http{
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'$geoip2_country_code '
'$geoip2_country_name ';
geoip2 /usr/local/nginx/maxmind/GeoLite2-Country.mmdb {
$geoip2_country_code country iso_code;
$geoip2_country_name country names en;
}
geoip2 /usr/local/nginx/maxmind/GeoLite2-City.mmdb {
$geoip2_city_name city names en;
}
# 将$geoip2_country_code映射到$blacklisted_country
# 默认值是no,如果是CN则设置为yes
map $geoip2_country_code $blacklisted_country {
default no;
CN yes;
}
}网站server配置
server{
location / {
if ( $blacklisted_country = yes ){
return 403;
}
}
error_page 403 /403.html;
location = /403.html {
root /usr/local/nginx/html;
internal;
}
}