How to Block a Country in nginx
Geo-blocking in nginx via ngx_http_geoip2_module + MaxMind GeoLite2 database. IP lookup → country code → allow/deny via map or if. Useful for compliance (GDPR, sanctions), reducing bot traffic. Cons: VPNs bypass easily, legitimate travellers get blocked, MaxMind requires signup (free tier fine).
Below: step-by-step, working examples, common pitfalls, FAQ.
Step-by-Step Setup
- Register a free MaxMind account → download GeoLite2-Country.mmdb
- Install the nginx module:
apt install libnginx-mod-http-geoip2 - In nginx.conf http context:
geoip2 /path/GeoLite2-Country.mmdb { $geoip_country_code country iso_code; } - Map country → action:
map $geoip_country_code $blocked { default 0; CN 1; RU 1; } - In server block:
if ($blocked) { return 403; } - Auto-update GeoLite2 via
geoipupdatedaemon (monthly) - Test:
curl -H "X-Forwarded-For: 1.2.3.4" https://example.com
Working Examples
| Scenario | Config |
|---|---|
| Basic country blocking | # nginx.conf http:
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
$geoip_country_code country iso_code;
}
map $geoip_country_code $blocked {
default 0;
CN 1;
KP 1;
}
# server:
if ($blocked) { return 403; } |
| Whitelist only (allow some) | map $geoip_country_code $allowed {
default 0;
US 1;
CA 1;
GB 1;
DE 1;
}
if ($allowed = 0) { return 403; } |
| Custom blocked page | location = /blocked.html {
internal;
root /var/www/static;
}
if ($blocked) { error_page 403 /blocked.html; return 403; } |
| Allow admin IP bypass | set $skip 0;
if ($remote_addr = "1.2.3.4") { set $skip 1; }
if ($blocked = 1) { set $skip "${skip}1"; }
if ($skip = 1) { return 403; } |
| geoipupdate daemon | # /etc/GeoIP.conf
AccountID XXX
LicenseKey YYY
EditionIDs GeoLite2-Country
# Cron: 0 3 1 * * /usr/bin/geoipupdate |
Common Pitfalls
- VPN + Tor bypass any geo-blocking easily
- Legitimate travellers get blocked (business users on holiday)
- Cloudflare in front of nginx → $remote_addr = Cloudflare IP, not client. Use
$http_cf_ipcountryor real_ip_header - GeoLite2 accuracy is country-level 99%, city-level 70% — don't rely on city
- Compliance: legal risk to block whole countries (discrimination). Consult legal
Why teams trust us
How it works
Enter site URL
Security headers analyzed
Get grade A–F
What Does the Security Analysis Check?
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Header Analysis
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
SSL Check
TLS version, certificate expiry, chain of trust, HSTS support.
Leak Detection
Finding exposed server versions, debug modes, open configs, and directories.
Report with Recommendations
Detailed report explaining each issue with specific steps to fix it.
Who uses this
Security teams
HTTP header audit
DevOps
config verification
Developers
CSP & HSTS setup
Auditors
compliance checks
Common Mistakes
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Best Practices
Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Get more with a free account
Security check history and HTTP security header monitoring.
Sign up freeLearn more
Frequently Asked Questions
Cloudflare geo-blocking vs nginx?
Cloudflare: simple dashboard toggle, blocks before origin. nginx: more flexible, no CDN dependency. For critical security — both.
MaxMind vs IP2Location?
MaxMind GeoLite2 — free, good accuracy, standard. IP2Location — commercial, more details (proxy/VPN detection).
How to unblock admin from a blocked country?
Whitelist their IP BEFORE the country check. Or a separate admin.example.com without geo-block.
Which countries get blocked most?
Sanctions compliance: CU, IR, KP, SY. Security: countries with high bot activity. Business: where you have no support.