Block a website in specific countries using Nginx

Learn how to block a website in a country or specific countries using Nginx.

Introduction

In this article, I will show you how we can block our website or web app in specific countries or a country. This article assumes that the website is being served behind an Nginx reverse proxy running on an Ubuntu instance.

This demo is based on the below versions.

• OS: Ubuntu 22.04.1 LTS
• Nginx: nginx/1.18.0 (Ubuntu)

Pre-requisites

• Nginx
• Free GeoLite2 account — https://dev.maxmind.com/geoip/geolite2-free-geolocation-data

Steps to follow

1. Install Nginx & GeoIP2 module

Start with installing Nginx & GeoIP2 module on the Ubuntu server.

sudo apt-get install nginx libnginx-mod-http-geoip2

Run nginx -V command & check if you see the below text in the output.

--add-dynamic-module=/build/nginx-d8gVax/nginx-1.18.0/debian/modules/http-geoip2

2. Create a free account on MaxMind page.

Now create an account on MaxMind website to access GeoLite2 database files.

3. Download the GeoLite2-Country.mmdb file & copy it to your Ubuntu server.

Once you sign up, you should be able to download the GeoLite2 database files. Download the GeoLite2-Country.mmdb file & copy it to an easily accessible location on the server. I put my database file under /opt.

Optional — You can also download GeoLite2-Country.mmdb file if you want to block your website in a specific city.

mv GeoLite2-Country.mmdb /opt

4. Edit the Nginx configuration file.

Now edit the /etc/nginx/nginx.conf file & add the below snippet under http block. Note that I have put IN no because I want to test geo-blocking in India. Put any country code that you want to block.

no means you are blocking that country.

http {
 geoip2 /opt/GeoLite2-Country.mmdb{
    $geoip2_data_country_iso_code country iso_code;
     }
     map $geoip2_data_country_iso_code $allowed_country {
        default yes;
        IN no;
    }

5. Edit your Nginx website configuration file.

After enabling GeoLite2 in Nginx main configuration, it’s time to configure your actual website configuration so that whenever a visitor tries to load your website from the blocked country, the 444 status code is returned instead of the web-page.

This configuration file can be inside /etc/nginx/conf.d or /etc/nginx-sites-enabled directory.

Add the below snippet to your website configuration file right after listen segment in server block.

if ($allowed_country = no) {
  return 444;
}

Below is how it looks on my server. I am using the default configuration, so my file is /etc/nginx/sites-enabled/default.

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        if ($allowed_country = no) {
           return 444;
        }

6. Restart Nginx.

It’s always better to test your Nginx configuration by using sudo nginx -t command before restarting the service.

ubuntu@shashank-server:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

sudo systemctl restart nginx.service

7. Try opening your website.

Now open your website in the browser. It should display an error message similar to the one below.

This site can’t be reached
<server> refused to connect.
Try:
  Checking the connection
  Checking the proxy and the firewall

ERR_CONNECTION_REFUSED

And that’s it. Using the steps above, you should be able to block your website in specific countries (or cities if you want). I hope you liked this post. Please follow me for more such articles.