Mario:
Here is what happened when I installed and configured mod_geoip 1.2.7 on my Windows 2008 Server running Apache HTTPD Server 2.4.2 in a 32-bit environment.
When I followed the instructions in readme_first.html, the instructions stated to add the following to
httpd.conf<IfModule geoip_module> GeoIPEnable On
# Specify full path to the database here!
# Use only one database.
# GeoIPDBFile /path/to/GeoIP.dat
# GeoIPDBFile /path/to/GeoLiteCity.dat
# IPv6 support use two databases
GeoIPDBFile bin/GeoIPv6.dat
GeoIPDBFile bin/GeoLiteCity.dat
</IfModule>I did this with no problems (I even updated the GeoIPv6.dat and GeoLiteCity.dat files with no problems).
In the README file, there is a section for BLOCKING that states:
======== Blocking unwanted countries ==========# This blocks traffic from China and Russia
GeoIPEnable On
GeoIPDBFile /path/to/GeoIP.dat
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry# ... place more countries here
Deny from env=BlockCountry# Optional - use if you want to allow a specific IP address from the country you denied
# See
http://httpd.apache.org/docs/1.3/mod/mod_access.html for more details
# Allow from 10.1.2.3
If you add the BlockCountry commands where it states to add them, which I was lead to believe was in the section of
<IfModule geoip_module> and would make it look like:
<IfModule geoip_module> GeoIPEnable On
# Specify full path to the database here!
# Use only one database.
# GeoIPDBFile /path/to/GeoIP.dat
# GeoIPDBFile /path/to/GeoLiteCity.dat
# IPv6 support use two databases
GeoIPDBFile bin/GeoIPv6.dat
GeoIPDBFile bin/GeoLiteCity.dat
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
Deny from env=BlockCountry</IfModule>I got the following error in my Application log of my event viewer:
The Apache service named reported the following error:
>>> AH00526: Syntax error on line xxx of C:/Path/To/conf/httpd.conf:
The Apache service named reported the following error:
>>> deny not allowed here Here is the section in my
httpd.conf I ended up placing the
BlockCountry statements instead of what the instructions for
mod_geoip stated to make it work:
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
Deny from env=BlockCountry
Require all granted
</Directory>
To make sure this was correct and GEOIP was working correctly with the BlockCountry command, I added SetEnvIf GEO_COUNTRY_CODE US BlockCountry in as well and was then unable to access my website in Denver, Colorado from my ISP in Denver, Colorado. As soon as I removed the statement I added, I was able to once again access my website.
This is just a sampling of all the Country Codes I am using to block unwanted countries/locales. I will say this works much better than blocking out blocks of IP addresses.
I am not as proficient as many others with Apache on this site, but this is how I got it work, and it works very well (Access logs and Mod_Security logs are much more manageable). I used to have many "Deny from" IP address blocks where I am now using BlockCountry statements.
Any feedback on how to do this better would be much appreciated.