mirror of
https://github.com/NginxProxyManager/nginx-proxy-manager.git
synced 2026-04-25 17:35:52 +03:00
[GH-ISSUE #46] Add GeoIP module #45
Labels
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/nginx-proxy-manager-NginxProxyManager#45
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @teodorch85 on GitHub (Jan 8, 2019).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/46
Hi! As I am noob with nginx is it possible to enable the GeoIP module so we can limit access also by location?
https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-by-geoip/
Thank you!
@jc21 commented on GitHub (Jan 8, 2019):
Sounds doable. Makes sense to include with improvements in #38 as well.
@wuast94 commented on GitHub (Feb 21, 2019):
the geoip module is active by default so no worry. its just a bit of path mapping and edit config files :P
the main problem of geoip module is using legacy geoip databases that are deprecated.
from https://dev.maxmind.com/geoip/legacy/downloadable/
to https://dev.maxmind.com/geoip/geoip2/geolite2/ wich is using
maxmind databases
but the geoip module from nginx is using teh legacy databases. so i dont know if its an issue from nginx itselfs or from npm. it sounds nice to block countries etc but i thing nginx need to fix it first before this feature can addet by devs to the container or am i wrong ?
i wrote more to -> #78
@jc21 commented on GitHub (Feb 25, 2019):
Yep I've found the legacy databases are not longer supplied anymore so everyone has to convert to geo2.
Seems it's trivial to add the new module: https://docs.nginx.com/nginx/admin-guide/dynamic-modules/geoip2/
Also the geolite databases need to be baked in to the docker image.
@wuast94 commented on GitHub (Feb 25, 2019):
I think it should be better to make this possible over mounting the nginx dir to host system. So everyone can edit this as wanted (use other modules or databases)
And I think the geo2 module should be addet by nginx docker Mainter. Many modules are installed by defoult: https://github.com/nginxinc/docker-nginx/blob/master/stable/alpine/Dockerfile
@jc21 commented on GitHub (Feb 25, 2019):
You can already do that if you want to. In any docker image there is no restriction in what you're mounting and where. Even though I bake in config or files you're always able to override them.
@corvy commented on GitHub (Apr 24, 2020):
I would really love this feature. :)
@ghallford commented on GitHub (Jul 9, 2020):
This would be awesome because in order to use this
Currently nginx fails with this error when I add the custom log format:
I need the geoIP information to send to InfluxDB custom format:
@joggs commented on GitHub (Aug 17, 2020):
Looking forward to this!
@brokoler commented on GitHub (Nov 16, 2020):
Still missing and everything I'm waiting for! 👍
@risiman commented on GitHub (Jan 31, 2021):
That sounds great to me
@andyshutak commented on GitHub (Feb 25, 2021):
Likewise this will help massively in reducing attempted logons and bruteforcing on my network. Watching closely.
@Br3b commented on GitHub (Mar 2, 2021):
Hi guys,
this would be great! I was trying to get the geoip module or to at least implement a kind of monitoring possibility for the ngxin proxy manager with telegraf and grafana. But my limited docker knowledge is just not enough.
I would appreciate if this feature would be available out of the box :)
Stay healthy!
@rh535 commented on GitHub (Mar 31, 2021):
This would be great!
@danner26 commented on GitHub (Apr 15, 2021):
@jc21 any update? I would be happy to help develop on this if y'all need an extra hand in order to get it included.
@mgutt commented on GitHub (Apr 19, 2021):
+1
@phrogg commented on GitHub (Apr 26, 2021):
Is there any way, to do this without it implemented? If I can set it up manually I may be able to make an PR out of it.
@mouseron commented on GitHub (Jul 20, 2021):
Checking in to see if how this is going. @jc21 is there any update please. It would be great to have this implemented please and thank you!
@jc21 commented on GitHub (Jul 20, 2021):
See #1202
@mouseron commented on GitHub (Jul 20, 2021):
Thanks and it's great to see there will be a V3! I wasn't aware.
It's not clear not me whether GeoIP2 will be part of this new version though... The closest statement I could find was "UI Configurable IP ranges for real_ip determination"
Will GeoIP2 be incorporated?
Thanks again!
@Pacerino commented on GitHub (Sep 12, 2021):
@mouseron
Take a look at https://github.com/sherpya/geolite2legacy
and
https://www.miyuru.lk/geoiplegacy
@Pacerino commented on GitHub (Sep 12, 2021):
Hey @wuast94 i was wondering how the geoip module is active by default when the openresty doesnt get compiled with the flag to enable the geoip module? It would be nice if you could explain in detail how you managed it. The anweres you've made arent detailed.
@jc21 commented on GitHub (Sep 13, 2021):
Should anyone want to look at adding the module:
@ghost commented on GitHub (Oct 28, 2021):
Here some useful material to compile geoip2 in openresty
https://www.electrosoftcloud.com/en/compile-geoip2-in-openresty-and-how-to-use-it/
@OuticNZ commented on GitHub (Oct 31, 2021):
Did this get progressed any? Or is it waiting for someone to pick it up?
@chaptergy commented on GitHub (Oct 31, 2021):
No, I don't think there is any progress, and I don't think there will come an official integration in v2 of npm, unless someone wants to get working on it and creates a PR.
@Pacerino commented on GitHub (Oct 31, 2021):
I've actually made my own custom version of it with geoIP in order to use it with loki and grafana.
https://github.com/Pacerino/docker-nginx-full
https://github.com/Pacerino/nginx-proxy-manager
The only think is that i've ported the CI to Drone. There is an error appearing if creating the container about missing deps. I've temporary fixed it by installing
libgeoip1_1.6manually with DPKGAfter a reboot of the container everything works.
This is a quick and dirty implementation of it and not the latest release the main repo. The Frontend is missing the Logo but everything works. I should merge into the latest release and trying to get rid of the missing dep and the logo.
@firebowl commented on GitHub (Jan 1, 2022):
Does anyone care about a geoip2 implementation? It would be a real pity if you have to give up the security of geoip2 for the really great and convenient variant of NPM.
@danner26 commented on GitHub (Jan 1, 2022):
I personally do.
On Sat, Jan 1, 2022, 13:58 firebowl @.***> wrote:
@ghallford commented on GitHub (Jan 1, 2022):
I do as well!
--
Geoff
On Jan. 1, 2022, 2:03 p.m., at 2:03 p.m., Daniel Anner @.***> wrote:
@Pl1997 commented on GitHub (Jan 17, 2022):
Hi, this would be great for me too !
@spiezmaestro commented on GitHub (Jan 29, 2022):
Hi, would like to have this as well!
@scyto commented on GitHub (Feb 2, 2022):
I am new to NPM, seeing if it can replace my custom config.
I am glad to see this will be in v3.
I note despite someone saying the geoip modules are loaded in the base docker used for npm an nginx -V reveals this is not the case :-(
For now with v2 is there anyway to get the geoip modules working?
(i use them for my csustom log format)
I copied over ngx_http_geoip_module.so and tried loading it using
/data/nginx/custom/root.confhowever i get the error
nginx: [emerg] "load_module" directive is specified too late in /data/nginx/custom/root.conf:2I assume this is because this is placed at the of the root conf rather than in the main block?
Is there any other workaround?
(in v3 can we have standard support for modules using the normal /modules-enabled/50*.conf files method?)ok i see how to get modules loaded in npm, i mapped a volume to /etc/nginx/modules
i am now caught in dependency loop of finding just the right modules, i guess because i need the resty version of ngx_http_geoip_module.so (version 1019009) i am unclear where i can get that from?
@TehloWasTaken commented on GitHub (Mar 2, 2022):
Hey, just tried to look at your custom repo's, but they're not public anymore, or deleted.
Do you still have these? I'd love to use these as I'd like to setup:
https://grafana.com/grafana/dashboards/12559
Thanks!
@Pacerino commented on GitHub (Mar 2, 2022):
Im back at Friday and can take a Look. Ive probably deleted it.
Von meinem iPhone gesendet
Am 02.03.2022 um 14:52 schrieb Tehlo @.***>:
I've actually made my own custom version of it with geoIP in order to use it with loki and grafana. https://github.com/Pacerino/docker-nginx-full https://github.com/Pacerino/nginx-proxy-manager
The only think is that i've ported the CI to Drone. There is an error appearing if creating the container about missing deps. I've temporary fixed it by installing libgeoip1_1.6 manually with DPKG
wget http://ftp.de.debian.org/debian/pool/main/g/geoip/libgeoip1_1.6.12-7_amd64.deb
dpkg -i libgeoip1_1.6.12-7_amd64.deb
After a reboot of the container everything works.
This is a quick and dirty implementation of it and not the latest release the main repo. The Frontend is missing the Logo but everything works. I should merge into the latest release and trying to get rid of the missing dep and the logo.
Hey, just tried to look at your custom repo's, but they're not public anymore, or deleted.
Do you still have these? I'd love to use these as I'd like to setup:
https://grafana.com/grafana/dashboards/12559
Thanks!
—
Reply to this email directly, view it on GitHubhttps://github.com/NginxProxyManager/nginx-proxy-manager/issues/46#issuecomment-1057016139, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFJKPD3HOXB3UX2342N4X63U556DTANCNFSM4GOX4ASA.
You are receiving this because you commented.Message ID: @.***>
@jgramling17 commented on GitHub (Oct 3, 2022):
Any updates on this? I think making it an optional config through env variables or something similar wouldn't sacrifice simplicity for basic use cases.
@benisai commented on GitHub (Jan 10, 2023):
I'm also interested in this.
@hellcry37 commented on GitHub (Mar 10, 2023):
This geoip missing is what is stopping me to use this against the actual nginx.
My nginx confs work great what I miss is the actual ease of use of this software. But without geoip to protect my stuff and let only a country to access my websites and whitelist only some ip from the countrys i do not want to acess my stuff there is no way this is viable. Thanks for your consideration
@nfacciolo commented on GitHub (May 5, 2023):
It's possible to install the module
apt install libnginx-mod-http-geoipthen create a custom file confignano /data/nginx/custom/http_top.confHere you can add all your geo config then use created variable@webysther commented on GitHub (May 8, 2023):
Maybe using this as reference: https://github.com/jlesage/docker-nginx-proxy-manager
@lavinir commented on GitHub (May 9, 2023):
I've created a script that uses location data from db-ip.com to create country based access lists in nginx proxy manager.
They publish updated addresses monthly and you can just set up a cron schedule to run the script and update the access list that way.
More details here
@webysther commented on GitHub (May 15, 2023):
I decide to use like you @lavinir but in router direct with firewall and ip set, I just make download of geoip2 and use pandas to convert in CIDR ip list based on my needs. This solution have the advantage to remove the load from NPM, but will be great to have this. For someone that want to implement:
In my case I put this on a docker I make the update on Openwrt
@lavinir commented on GitHub (May 17, 2023):
@webysther . Cool.
For me, I have use cases where I need the filter on a per rule basis so I can't block everything at the router level. But if you want to block all traffic from certain locations to your home that's a great solution 👍
@webysther commented on GitHub (May 21, 2023):
Yes my solution dont work per rule or domain.
@GamerClassN7 commented on GitHub (Sep 14, 2023):
Hello,
Any news regarding implementation of geo module ?
Thanks for info
@lavinir commented on GitHub (Sep 14, 2023):
Hi,
Unfortunately no, I haven't had the time to get back to this project yet..
@nfacciolo commented on GitHub (Sep 15, 2023):
If you install it directly on your server just install the dep : apt install libnginx-mod-http-geoip
If you use docker, create a dockerfile and RUN apt install libnginx-mod-http-geoip
@corvy commented on GitHub (Sep 15, 2023):
We should just fork and add it...
On Fri, 15 Sept 2023, 07:53 facciolo, @.***> wrote:
@webysther commented on GitHub (Sep 15, 2023):
I don't think is a good ideia, the new version is coming and in some time in future, maybe add to the new version or make this new version flexible to support this kind of feature like mod of lsio
@GamerClassN7 commented on GitHub (Sep 20, 2023):
What is this mod site ?
@webysther commented on GitHub (Sep 21, 2023):
https://mods.linuxserver.io/?mod=create
@wpresident commented on GitHub (Sep 22, 2023):
Can someone make complete instruction how to add geoip2 module in NPM docker?
@gzxiexl commented on GitHub (Oct 11, 2023):
I'm waiting too
@bohemtucsok commented on GitHub (Oct 19, 2023):
I'm waiting too
@ThatCoffeeGuy commented on GitHub (Nov 10, 2023):
Yeah, same. Considering switching back to baremetal nginx only because of this. :(
Is there an easy way to migrate from NPM docker to baremetal nginx? (fedora/ubuntu)
@mixpc commented on GitHub (Feb 23, 2024):
+1 for the implementation of geoblock in nginx-proxy-manager
@nbently commented on GitHub (Feb 29, 2024):
Edited 6/7/24 to be more concise & easy to read.
The PR above adds support for this geoip2 module: https://github.com/leev/ngx_http_geoip2_module.
The nginx_http_geoip2 module has been added to the base nginx configuration and can now be configured in Nginx Proxy Manager with the latest images. I'm not keen on providing a ton of support for this, but here's how I have my config set up.
You need the GeoLite2-City database from MaxMind. You'll need to create an account to download it. Keep in mind that this database is regularly updated and can become outdated quickly. It is outside the scope of this comment, but you may want to consider automating the download of the database into your configuration on a regular basis.
I have three custom files and the GeoLite2-City database mounted into the NPM container. I'm using bind mounts and have these files stored on my host machine in my configuration directory for NPM.
Configuration
GeoLite2-City.mmdb
This is the IP location database from MaxMind. This is how IPs are matched with locations.
Mount the IP database into the container here:
/data/geoip2db/GeoLite2-City.mmdb.enable_ngx_http_geoip2_module.conf
The module is now included in NPM, but we need to enable it. This file enables the module in nginx's configuration.
Mount this file into the container here:
/etc/nginx/modules/enable_ngx_http_geoip2_module.confFile contents:
http_top.conf
This file tells the module where the GeoLite2-City database is and configures an additional log format that includes the IP location data in each log line.
Mount this file into the container here:
/data/nginx/custom/http_top.conf.File contents:
server_proxy.conf
This file tells NPM to add the logging configuration you created above to each proxy host.
Mount this file into the container here:
/data/nginx/custom/server_proxy.conf.File contents:
Feel free to tweak as it meets your needs, but this should get you up and running. This issue & #3334 should be able to be closed now.
Big thanks to @jc21 for getting the module merged so quickly.
@GamerClassN7 commented on GitHub (Apr 30, 2024):
Hello,
would be possible to add more detail step by step tutorial and put it to documentation maybe ?
I was not able to get it working in latest version of NPM :(
Thank in advance!
@coltography commented on GitHub (May 23, 2024):
@GamerClassN7 did you ever get this figured out? Everywhere I look is not very noob friendly explanations of how to get this set up properly.
@sbe-arg commented on GitHub (May 24, 2024):
Have a look at bunkerweb. Has geoblock included and other waf rules.
@coltography commented on GitHub (May 24, 2024):
Thank you very much. Looks pretty neat, I'm wondering if it works with crowdsec. Will look into it.
@maboxx commented on GitHub (May 24, 2024):
What is bunkerweb? Maybe you have a link? Unfortunately I can't figure it out how it works and need more detailed instructions for dummies :-|
@phyte22 commented on GitHub (May 24, 2024):
I somehow managed it with NginxProxyManager. I can try to write a little noob tutorial here at the weekend, as I am one myself ^^
@maboxx commented on GitHub (May 24, 2024):
Wow that would be really great and I would be so grateful...... I have been waiting for this function in NPM for a long time and now I have no idea what to do :-(
@phyte22 commented on GitHub (May 24, 2024):
I definitely wanted to whitelist countries, so I downloaded the country DB from https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and put it in my Nginx folder.
My Folder looks like this:
you have to create 3 files (as described above)
http_top.conf(config)enable_ngx_http_geoip2_module.conf(enables the geoip module)server_proxy.conf(for logging)my
http_top.conflooks like this:in this example Netherlands is accepted. just add your whitelistes countries here
try to access your new log (
/data/logs/geoip.log) and look if the country db works when you access your urls (-> look at the last two values of the log line)if this looks correct then just go to your ngx-gui and set this advanced config to make it work on your desired proxy
hope this helps in a way
@maboxx commented on GitHub (May 28, 2024):
@phyte22
Thank you so much!
I will be testing this very soon. I have NPM in Docker. I think my data folder is already set up “perstistent”. I'll have to check that again.
What I understood.
Create 3 confs with the corresponding content.
What content must the other two .conf have?
enable_ngx_http_geoip2_module.conf
server_proxy.conf
Download the GeoLite2 Database:
/data/geiip2db/GeoLite2-Country.mmdb
@phyte22 commented on GitHub (May 28, 2024):
for 1.
look at the post from https://github.com/NginxProxyManager/nginx-proxy-manager/issues/46#issuecomment-1971318240
There you can see the content
@maboxx commented on GitHub (May 29, 2024):
Ok I have tested, unfortunately it does not work.
This is what my structure looked like:
Then I restarted the NPM docker container.
As soon as I configured the Advanced tab in NPM on a proxy host, the proxy host went offline.
I have also not access to the log in /logs/geoip.log. The log is not created.
My structure is then like this and I mounted also the conf in /etc/nginx/modules/enable_ngx_http_geoip2_module.conf
The result was the same. Do you or anyone else have any ideas?
@phyte22 commented on GitHub (May 29, 2024):
What does it look like in your created files?
Before you
you should first have a working log.
The file
geoip.logis not created under any circumstances?Then something fundamental does not seem to be working...
@maboxx commented on GitHub (May 30, 2024):
Here the content from the files and once again my current structure:
http_top.conf
server_proxy.conf
enable_ngx_http_geoip2_module.conf, mounted on /etc/nginx/modules/
I also look to the usr/lib/nginx/mdules path if the .so file exists and it is there!
But at the end the geoip.log is not created.
@phyte22 commented on GitHub (May 30, 2024):
you referenced the City DB. But you downloaded, as i did, the Country DB :D
@maboxx commented on GitHub (May 30, 2024):
You 're right :-) I changed it and restart the container but same result. The geoip.log still not created :-(
The configuration looks good I think but still not working.....
@phyte22 commented on GitHub (May 30, 2024):
Hmm.. you can remove
$geoip2_data_city_nameout of the log.Additionally this are all my releated mounts for the NPM Container:
/data/nginx/custom/server_proxy.conf/data/nginx/custom/http_top.conf/data/geoip2db/GeoLite2-Country.mmdb/etc/nginx/modules/enable_ngx_http_geoip2_module.confmaybe you are missing something here?
Are you running the latest version?
@maboxx commented on GitHub (May 31, 2024):
I don't know what you mean with remove "$geoip2_data_city_name" out of the log? Can you explain again please?
It looks the same for me as it does for you, I have the same mounts as you.
The version is Version 2.11.2
See from inside the container:
http_top.conf
server_proxy.conf
GeoLite2-Country.mmdb
enable_ngx_http_geoip2_module.conf
The modules also exists:
Is it perhaps not enough just to restart the container? Do I perhaps have to delete it completely first? I don't think so.
@phyte22 commented on GitHub (Jun 1, 2024):
in my log_format I don't have “$geoip2_data_city_name” because we don't get the variable from the database.
apart from that, it's really weird... i didn't do more, if i remember correctly. Do you have any other NPM logs that might indicate that the geoip module could not be loaded or similar?
@maboxx commented on GitHub (Jun 1, 2024):
I have now adjusted the log format, but it does not change anything.
This is the log when I restart the NPM docker container:
@cruunnerr commented on GitHub (Jun 4, 2024):
@maboxx
Hey there. Since you seem to be German, you might want to have a look at this site: https://decatec.de/home-server/nginx-besucher-mittels-geoip2-nach-laendern-blockieren-geoblocking/
This is pretty much the same as @phyte22 described. So maybe that helps you. Would be nice if you report your config if it works correctly.
Also think about not blocking your own LAN by adding something like:
@maboxx commented on GitHub (Jun 7, 2024):
Thank you for the link but
But I just don't think I understand it completely, I'm so sorry. The link only concerns me from the point "nginx-Konfiguration für GeoIP2" Because the geoip module is already integrated in NPM, isn't it?
@nbently commented on GitHub (Jun 7, 2024):
@maboxx you might want to check to make sure your log_format configuration only includes variables present in the file you downloaded. I haven't tested this on the Country db, but theoretically it should still work, and it does seem like others have gotten it to work. FWIW the City db includes everything in the Country db but not the other way around. https://dev.maxmind.com/geoip/docs/databases/city-and-country#locations-files
Make sure your bind mounts are correct as well (e.g. the file on the host system is where you say it is).
I would suggest trying with my exact configuration first to see if that works and then tweaking it from there.
@maboxx commented on GitHub (Jun 8, 2024):
@nbently
I do it now exactly like you:
I have now started Docker. How can I now check whether the module is loaded or working?
@nbently commented on GitHub (Jun 8, 2024):
@maboxx if you're in the container you should now see a new log in /data/logs called geoip.log. That file will contain all of the new log data with the location data in each line. Make sure you have at least one proxy host set up and configured as well (otherwise there won't be any logs).
@maboxx commented on GitHub (Jun 8, 2024):
@nbently
I am sad, there is no log :-(
I don't understand it. I do exactly what you do.
@cruunnerr commented on GitHub (Jun 10, 2024):
@maboxx
I don't have much time at the moment. Will try to make you a noob-friendly HowTo till the weekend.
Just notice: I have my NPM docker folder in my home directory.
Basically I installed GeoIP like here: https://dev.maxmind.com/geoip/updating-databases
sudo add-apt-repository ppa:maxmind/ppasudo apt updatesudo apt install geoipupdateI changed the DatabaseDirectory in /etc/GeoIP.conf:
DatabaseDirectory /home/USER/NPM_DOCKER_FOLDER/GeoIPAlso you need to insert your account-details here.
First try to download database:
sudo geoipupdateshould create you the database files in the /home/USER/NPM_DOCKER_FOLDER/GeoIP
Then created a crontab for updating database.
sudo crontab -econtent:
Then I created the files
NPM_DOCKER_FOLDER/modules/enable_ngx_http_geoip2_module.conf
NPM_DOCKER_FOLDER/data/nginx/custom/http_top.conf
NPM_DOCKER_FOLDER/data/nginx/custom/server_proxy.conf
My files look like this:
enable_ngx_http_geoip2_module.conf:
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;http_top.conf:
server_proxy.conf:
Then I added the volume mounts to the docker-compose.yml:
start the container:
sudo docker-compose up -dNotice that I added the
part inside the server_proxy.conf, since I couldn't get it worked with adding these lines in the webUI. But it worked pretty well. I tested accessing my proxy hosts via VPN from different countries, and only Germany got a response. :)
@maboxx commented on GitHub (Jun 11, 2024):
Thank you very much @cruunnerr @nbently @phyte22 for your patience and effort, I will check again point by point as soon as I have time.
@cruunnerr commented on GitHub (Jun 11, 2024):
You're very welcome. Please keep in mind, that GeoIP-Blocking is a nice thing to have, but doesn't free your server from getting attacked.
It is good for blocking bots and crawlers and surely prevents your proxy hosts from being inspected from several countries. But attackers often use bot nets and have several bots in different countries. So it kind of protects you from getting attacked from "everywhere".
But I would definitely recommend you to also install crowdsec (or at least fail2ban) on your bare NPM-Server. Since crowdsec detects basically even before the packets reaches your NPM-Docker instance and can effectively protect against many kinds of attacks on vulnerabilities or exploits. Just imagine NPM or your OS has a vulnerability which can be attacked even before packets reach your Hosts or your NPM Docker instance.
For example my crowdsec instance detected around 25 scenarios and blocked the IP's, just for today! For the hole June I have actually 473 blocked scenarios (85 of them from Germany, which even wouldn't have been blocked via GeoIP).
Just think about it ;)
@nbently commented on GitHub (Jun 11, 2024):
@maboxx can you show us where you have the bind mounts configured?
@maboxx commented on GitHub (Jun 12, 2024):
I probably won't have time to go through the whole thing again until the weekend.
@cruunnerr
Thank you very much for the tips.
My constellation is such that my NPM runs on a virtual machine with hardened archlinux. Docker runs rootless there. NPM is my entrance to the network and then forwards to another virtual machine with my Nextcloud. This VM is also hardened and fail2ban is also running there. I may still have to take care of fail2ban on my NPM VM.
@nbently
I don't quite understand what you mean because my mounts work otherwise I couldn't access them from inside the container? Here is my stack that I deploy via Portainer.
@nbently commented on GitHub (Jun 14, 2024):
@maboxx that's what I was wondering, I see you're using volumes and not bind mounts. Theoretically that should work no problem but I bet that's where the issue is. Probably something permission related if I had to guess.
What happens if you create the geoip.log file manually (just an empty file)? I'd also check to make sure all the files you created have the same permissions as everything else & that the user running nginx has access to them.
@maboxx commented on GitHub (Jun 15, 2024):
Ok but when I compare the permissions from my files with the permissions of your file which seen above in your thread they are the same. What can be different between using bind mounts or volumes? What is exactly the difference and how can I set bind mounts?
I think another difference to your configuration is that my docker runs "rootless" but this should normally also not a problem....
I created the geoip.log manually. After restart and one day after now the .log have 0 bytes.
Maybe I just clone my VM and install NPM exactly like you did without rootless to see if it works? It remains strange. I don't think anything is configured wrong. Rootless and no bind mount should not be a problem.
@cruunnerr
Little digression about crowdsec. I would like to install crowdsec to secure NPM (docker). How exactly did you install and configure it? Do you have any links? Did you also install crowdsec as a docker or directly on the machine? How do I connect Crowdsec to the NPM Docker so that it secures NPM? Ideally, I would also like to completely back up the local machine at the same time, not just NPM?
@itsbaraa commented on GitHub (Jul 31, 2024):
Great Alternative.
@maboxx commented on GitHub (Aug 23, 2024):
@XDark187 Thanks for the tip. I still have no idea what exactly Bunkerweb is. I have heard of it but despite research I don't understand it exactly. Bunkweb is probably much more than "just" a proxy manager.
@itsbaraa commented on GitHub (Aug 23, 2024):
Bunkerweb is a reverse proxy but with a lot of security features to protect your services by default, one of these security features is geoIP blocking and stopping brute force attacks and stopping bots, all security features are just toggles that you can enable or disable if you don't need them.
NPM requires so much work just to enable geoip blocking.
NPM is easier but less secure and bunkerweb is more secure but requires a bit of time to get it fully setup. IMO it's 100% worth it.
If you don't want to bother with NPM or Bunkerweb the easiest way is to use geoIP blocking with Cloudflare.
@webysther commented on GitHub (Oct 9, 2024):
I think this issue is fixed on https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3766: https://nginxproxymanager.com/advanced-config/#enabling-the-geoip2-module:
To enable the geoip2 module, you can create the custom configuration file /data/nginx/custom/root_top.conf and include the following snippet:
I have tested and is working rock solid.
@maboxx commented on GitHub (Oct 9, 2024):
Many thanks for the tip. Does this need to be configured in addition to the things above or instead?
@webysther commented on GitHub (Oct 9, 2024):
Add also the database of geoip
/data/GeoLite2-Country.mmdbon http_top.conf:After you can create map on server block:
@webysther commented on GitHub (Oct 11, 2024):
Good point, just to add some on this. The main point of using geoip is about reduce the attack surface. The big takes about security is more about this:
Never keep just one layer of security.
@maboxx commented on GitHub (Oct 12, 2024):
Thank you very much for all the information. I haven't had time yet, but I'm going to try the topic again soon and hopefully I'll get it right and working.
@tanmaychimurkar commented on GitHub (Oct 15, 2024):
Hi there, i also tried the comment as per @phyte22 here https://github.com/NginxProxyManager/nginx-proxy-manager/issues/46#issuecomment-2130372959 , and setup everything according to the same volume mounts.
The
geoip.logfile appears, and it shows the correct iso country code and whether or not it is allowed. The only issue i have is when I put the following in the advanced configuration of theproxy_host:My proxy host goes
offline. Moreover, the logs from thenpmcontainer show the following:When I then go to
/data/nginx/proxy_hoston my local machine, the8.confproxy_host file itself is gone. When I revert the changes in the Advanced block, the8.confproxy_host file comes back.The
fallback_error.logshows the followign:The
proxy-host-8_error.logshows nothing to point me in the right direction. Anyone know how to resolve this?@webysther commented on GitHub (Oct 15, 2024):
You have created in some how a loop condition that make you network going in a block state and reset. Check if you error page have a location that check again against the geoip or if there a loopback in somewhere. To help fix this, isolate and enable one host at time.
@gioman commented on GitHub (Nov 26, 2024):
After some trial and error I have been able to make geoip working for proxy hosts. Anyway the fact that docs say that there is also this module
load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.soseems to suggest that this approach can also be used for streams (am I wrong?). Anyway I'm struggling because in streams conf files generated by NPM, if something like
is added then an error like
nginx: [emerg] "if" directive is not allowed here in /data/nginx/stream/14.conf:11is returned. If conditionals/if cannot be used there, how the same as proxy hosts can be achieved?
Thanks in advance
@gioman commented on GitHub (Nov 30, 2024):
I did not find a solution within NPM, but I possibly found one that seems to work and that must be applied on the host. I'm not by any mean an expert of NPM and UFW/IPTABLE, so please be kind if the following has something that is wrong. Suggestions and corrections are welcome.
First I installed the geoip module on the host, I used this guide https://www.seenlyst.com/blog/geo-blocking-ufw-iptables/ which I followed with success in other cases not involving NPM.
Then I also installed ufw-docker https://github.com/chaifeng/ufw-docker so to be able to define firewall rules on the host that also apply to the NPM container.
Then:
start UFW on the host, be careful to add a rule beforehand that will not cut you off from SSH, something like
Then
ufw-docker allow npm-app-1 443this allows httpS traffic for the proxy hosts. Then:
sudo iptables -A ufw-user-forward -p tcp -m geoip --src-cc IT --dport 1234 -j ACCEPTto allow (or deny, if you use "DROP" instead of "ACCEPT") IPs from a whatever country code to reach your stream port.
This rule is not persistent to reboots (and probably also UFW restarts/reloads(, I'm not sure what is the best way to make it persistent but for now I'm happy applying it with a script after the host reboot.
I have also added NPM as a proxy host in itself, so to be able reach it with its domain I had to add this rules too:
The first one is necessary also to allow reach the NPM GUI with the host IP on port 81.
@Vaalus commented on GitHub (Jan 8, 2025):
I just logged in to say thank you! I tried your config and it immediately worked. Really appreciate it :)
EDIT: Just wanted to mention something, I couldn't access my site because I'm in the same Lan network. Had to modify the config files this way to get it to work:
http_top.conf
server_proxy.conf
@webysther commented on GitHub (Jan 8, 2025):
@jc21 this is not fixed with https://nginxproxymanager.com/advanced-config/#enabling-the-geoip2-module ? @teodorch85 i think you can close I change to use the geoip and works perfect
@mauroreggio commented on GitHub (Jan 17, 2025):
I webysther. Sorry for my question.
I follow the link and i simply read to add 2 line in a new config file. I start NPM and no error appears.
But ... how i can use geoip2 module?
Nothing in webconfig interface.
Nothing new in log.
Where i can work for put geoip2 module usage config? (i'm intrested in deny some location access and log IP access location).
Search many for example but not find nothing.
Thanks.
@webysther commented on GitHub (Jan 17, 2025):
Please read the comments here, there few examples like @Vaalus next my last comment.
@mauroreggio commented on GitHub (Jan 17, 2025):
I just work now on it ... and sorry because i not watch good before.
I try but in the "start container log" seems that NGPM not find the database
nginxpm-1 | ❯ Starting nginx ... nginxpm-1 | nginx: [emerg] MMDB_open("/data/geoip2db/GeoLite2-Country.mmdb") failed - Error opening the specified MaxMind DB file in /data/nginx/custom/http_top.conf:1I think is because the first line of http_top.conf
geoip2 /data/geoip2db/GeoLite2-Country.mmdb {but where is the database of geoip2 with this config?
@mauroreggio commented on GitHub (Jan 17, 2025):
I think i understand something (let me know if is true).
This is first step.
Once i've obtained my database fresh copy (GeoLite2-Country.mmdb) i can succesfully run NGPM container with no errors and with http_top.conf added Custom Config File
Now i'm stuck in the next step that i read more up in https://github.com/NginxProxyManager/nginx-proxy-manager/issues/46#issuecomment-2403546852
After you can create map on server block:
... where i must put this?
I try add in "Advanced" tab of my "Edit - Proxy Host" page of the webconfig page ... but this put the Proxy Host in error.
EDIT: i add the block in http_top.conf
This works good and log all access in /data/logs/geoip.log
But in this way is for ALL "Proxy Hosts" that NGPM serve.
Is possible via web interface have the same result but maybe different settings for any "Proxy Host"? (maybe using the "Advanced" tab that i show in the image before?)
@adamoutler commented on GitHub (Feb 14, 2025):
Can someone please expand the docs? After enabling geoip, there should be a log of IPs at a minimum. It appears that enabling geoip requires you to follow some other guide to enable geoip functionality. The official guide just enables modules which do nothing on their own.
@gilbrotheraway commented on GitHub (Feb 18, 2025):
i second this, docs are pretty vague
@gioman commented on GitHub (Feb 18, 2025):
I don't have time to make a PR to docs, but I leave here my notes, feel free to use them for a pull request against docs.
Add to docker-compose.yml (in volumes):
Of course you need to download first the GeoLite databases from the MaxMind web site and put them in a proper location on the host, in the above example "/mnt/geoip/".
enable_ngx_http_geoip2_module.confcontainshttp_top.confcontains something along the lines:server_proxy.confcontainsaccess_log /data/logs/geoip.log geoip;Take down / up the container, enter in it and reload ngnix to see if there are errors:
To configure the setings for a specific proxy host, enter the container:
docker exec -it npm-app-1 bashedit
/data/nginx/proxy_host/XXX.conf(where "XXX" is the id of the proxy host):vi /data/nginx/proxy_host/XXX.confnginx -s reload@maboxx commented on GitHub (Apr 26, 2025):
Hello again,
I only now had the nerve to look at the topic again and I can hardly believe I'm a little further along.
I came across it via @gioman last post, thank you very much!
The problem with me seems to have been that my
http_top.confandserver_proxy.confwas in/data/customand not in/data/nginx/custom. I move this to files to/data/nginx/customand now/data/log/geoip.logis finally created and I can see my connections in it 👍I have now checked everything again and compared it with the information @cruunnerr was given to me (link)
I would like to show where I currently stand because I am not sure whether it will work in the end and not allowed countrys will be blocked.
Add to docker-compose.yml (in volumes):
/data/nginx/custom/http_top.conf
/data/nginx/custom/server_proxy.conf
/data/nginx/custom/root_top.conf
The
GeoLite2-Country.mmdbis downloaded and located to/data/geoip2dbI have added the following to each of my proxy hosts via the WebGui using the Advanced tab.
And for the first time, these do not turn red after saving but remain green. I am still considering whether I want to do it like @cruunnerr and enter this in the server_proxy.conf.
In the log I can now see that I am accessing via my IP which comes from my country.
My question now is how can I test whether US is blocked, for example? Actually just change the country XX in the
http_top.confand test again from my device? I did that but the access still works to my proxy host behind the npm....EDIT:
I found the failure....
Here was a colon after “default” this must be removed then it works.
And I testet it now over an VPN connection from NL and it works fine :-) NL is blocked.
Now I have the problem that I can no longer access my LAN with 192.168.1.1. The solution from @Vaalus and @cruunnerr does not help me.
Could someone help me with this again?
My current http_top.conf
EDIT again:
I have now managed to ensure that my LAN router IP is no longer blocked. I can therefore access from inside my LAN to the defined Proxy_hosts.
This is how I did it, no idea what I'm doing but it works. Here my http_top.conf:
@maboxx commented on GitHub (May 2, 2025):
One more question.... @cruunnerr
How did you implement the update of the Let's Encrypt certificates in the Nginx Proxy Manager? Pretty sure I have blocked the country from where the updates are coming from. I think I have to take the acme challenge out of the blocking so that it works.
@adamoutler commented on GitHub (May 2, 2025):
You blocked USA @maboxx ?
@cruunnerr commented on GitHub (May 3, 2025):
I have an own domain with a wildcard certificate. So no need for me to use Let‘s encrypt. :/
@maboxx commented on GitHub (May 3, 2025):
Yes, I am currently only alowing my home country.
I also have my own domain but at the moment I use the NPM function with Let's Encrypt because the certificates are always renewed automatically. You then always do this “manually” or via another automatic process?
@maboxx commented on GitHub (May 17, 2025):
I have now solved it so that the ACME Challenge continues to work.
The necessary allow exception for the ACME challenge is already in /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf by default and this is included in proxy_host.conf:
I have set this in the “Advanced” tab due to the previous discussions about the Web Gui:
However, this is then inserted too early in the proxy_host.conf and at the end it does not work. This part must be within the “location” block.
I have not yet found out how to do this via a custom.conf so that it ends up inside the location block. Therefore I have added each proxy host directly into the .conf. I don't have many so that's ok for me.
The allowed_country code must be added to the location block in the respective proxy_host.conf.
Now it works. I have now only allowed my home country and the ACME Challenge from NPM still works.
@terrytangabc commented on GitHub (May 26, 2025):
for anyone who's looking for a complete guide to enable geoip module in NPM, here are the steps:
before we start, check the volume your NPM container can access in the compose.yml file. We'll put all the file in this guide under here. For me it's
step 1: download GeoLite2-Country.mmdb
you can download directly from some Github repo which does not require sign-up or login. I download from here. Then save it to
/opt/docker/nginx-proxy-manager/data/geoip2db/step2: create /opt/docker/nginx-proxy-manager/data/nginx/custom/root_top.conf (create 'custom' dir if there is none)
step3: create /opt/docker/nginx-proxy-manager/data/nginx/custom/http_top.conf. remember to modify the allowed_country code to your needs
step4: create /opt/docker/nginx-proxy-manager/data/nginx/custom/server_proxy.conf
step5: restart your NPM container
! LIMITATIONS:
Default log format of NPM will be overridden.Tools rely on NPM logs might break(fail2ban, go access for NPM, etc.). Adjust the parameters in these tools accordingly after steps above applied. I didn't find a way to achieve this without overriding the log format.
@adamoutler commented on GitHub (May 26, 2025):
@terrytangabc you should contribute to the docs. They're very unclear and anything would be better.
@bonelifer commented on GitHub (Jun 18, 2025):
I had a go at adding @terrytangabc section into the documentation. Don't know anything about vitepress, I used Deepseek to bring the directions more in line with the same document style/tone as the rest of the Advanced Configuration (index.md). If someone could look it over to make sure nothing was left out. I'll fork and add it and do a PR.
edit: it would help if I put the URL for the gist: https://gist.github.com/bonelifer/765fdfce1af0df2a57fed4e62c7bdaf4
@uniquegch commented on GitHub (Jul 8, 2025):
@terrytangabc Thank you for the instructions.
I do have two questions.
within http_top.conf I can add countries I allow, do I add them one line each or in the same line?
for example:
DE yes;
NL yes;
or DE NL yes;
I have goaccess for NPM installed and see hits from Australia, Sweden, US, etc but based on the allowed countries that should not be the case.
examples (frist number seems to be ASN for which I do not ave the database integrated):
I know that ACME is already allowed, so could that be the sources not being blocked by "allowed countries"?
and one more thing. The nginxproxymanager and goaccess for nginxproxymanager is running brand new since today.
@terrytangabc commented on GitHub (Jul 9, 2025):
@uniquegch
@uniquegch commented on GitHub (Jul 9, 2025):
@terrytangabc Thank you for your reply.
I do know enough to be "dangerous", but that is already a new area for me to learn more about.
A. I looked in npm/data/logs and there was no geoip but in the server_proxy.conf I put in the information I found in the instructions step 4
# override NPM default access_log conf
access_log /data/logs/geoip.log geoip
B. I also wondering about the step 2 creating the file root_top.conf and the two lines
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
Because I assume those would be within the npm docker container? within the server (debian 12) I do not have those files under /usr/lib/
C. goaccess for nginxproxymanager finds two of several logs
File /opt/log/proxy-host-2_access.log exists
File /opt/log/proxy-host-1_access.log exists
there are also two proxy-host-N_error.log files
@uniquegch commented on GitHub (Jul 10, 2025):
I had fix the path. now it is working and I tested the geo lock which works. Now I have to find out how to change the settings in goaccess for getting the log in the correct format.
Thanks for the instructions.
@BourbonDoc commented on GitHub (Sep 3, 2025):
I've tried a few versions of these steps and it still doesn't work. I get the error that no such file exists for the module.so files. I haven't seen anywhere that talks about creation of a modules folder or what files to put in it. Am I missing something really dumb?
@zigazajc007 commented on GitHub (Sep 8, 2025):
Is it possible for this to be implemented in the dashboard?
Example we just select whitelisted and blocked countries. And set if default is allow all or deny all countries.
@nbently commented on GitHub (Oct 8, 2025):
This would definitely be ideal. I had planned on taking a stab at this but life is busy. There are really two separate PRs here. The first is just adding functionality to allow requests to be tagged with the location in the logs using the GeoIP module and the second is functionality to block requests based on location.
When I originally built this into NPM, it was only with the intention of being able to visualize where requests were coming from and not to block them, so more thought needs to go into that.
I'll think more about this and see if I can find some time to at least postulate how the first PR could be structured.