Merge pull request #14 from linuxserver/geoip2-instructions

Geoip2 instructions

readme-vars.yml

@@ -57,6 +57,7 @@ opt_param_env_vars:
   - { env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`" }
   - { env_var: "EXTRA_DOMAINS", env_value: "", desc: "Additional fully qualified domain names (comma separated, no spaces) ie. `extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org`" }
   - { env_var: "STAGING", env_value: "false", desc: "Set to `true` to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes." }
+  - { env_var: "MAXMINDDB_LICENSE_KEY", env_value: "". desc: "Add your MaxmindDB license key to automatically download the GeoLite2-City.mmdb database. Download location is /config/geoip2db. The database is updated weekly."}
 opt_param_usage_include_vols: false
 opt_param_volumes:
   - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Configuration files." }
@@ -148,6 +149,7 @@ app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
+  - { date: "20.09.20:", desc: "Update nginx.conf - Added geoip2 configs. Added MAXMINDDB_LICENSE_KEY variable to readme."}
   - { date: "08.09.20:", desc: "Add php7-xsl." }
   - { date: "01.09.20:", desc: "Update nginx.conf and proxy.conf (and various proxy samples) to better handle websockets." }
   - { date: "03.08.20:", desc: "Initial release." }

root/defaults/default

@@ -30,6 +30,12 @@ server {
 	# enable for Authelia
 	#include /config/nginx/authelia-server.conf;
 
+	# enable for geo blocking
+	# See /config/nginx/geoip2.conf for more information.
+	#if ($allowed_country = no) {
+	#return 444;
+	#}
+
 	client_max_body_size 0;
 
 	location / {

root/defaults/geoip2.conf

@@ -0,0 +1,115 @@
+## Version 2020/09/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/geoip2.conf
+# To enable, uncommment the Geoip2 config line in nginx.conf
+# Add the -e MAXMINDDB_LICENSE_KEY=<licensekey> to automatically download the Geolite2 database.
+# A Maxmind license key can be acquired here: https://www.maxmind.com/en/geolite2/signup
+
+geoip2 /config/geoip2db/GeoLite2-City.mmdb {
+    auto_reload 1w;
+    $geoip2_data_city_name   city names en;
+    $geoip2_data_postal_code postal code;
+    $geoip2_data_latitude    location latitude;
+    $geoip2_data_longitude   location longitude;
+    $geoip2_data_state_name  subdivisions 0 names en;
+    $geoip2_data_state_code  subdivisions 0 iso_code;
+    $geoip2_data_continent_code   continent code;
+    $geoip2_data_country_iso_code country iso_code;
+}
+
+# GEOIP2 COUNTRY CONFIG
+map $geoip2_data_country_iso_code $allowed_country {
+    # default must be yes or no
+    default yes;
+
+    # Below you will setup conditions with yes or no
+    # ex: <condition> <yes/no>;
+    # If your default is set to yes you can setup conditions that would set it to no (and vice versa)
+    # Conditions are either network address (CIDR notation) or country code
+
+    # allow United Kingdom.
+    #GB yes;
+
+    # allow local access.
+    #192.168.1.0/24 yes;
+}
+
+# GEOIP2 CITY CONFIG
+map $geoip2_data_city_name $allowed_city {
+    # default must be yes or no
+    default yes;
+
+    # Below you will setup conditions with yes or no
+    # ex: <condition> <yes/no>;
+    # If your default is set to yes you can setup conditions that would set it to no (and vice versa)
+    # Conditions are either network address (CIDR notation) or city name
+
+    # allow Inverness.
+    #Inverness yes;
+
+    # allow local access.
+    #192.168.1.0/24 yes;
+}
+
+# Server config example:
+# Add the following if statement inside any server context where you want to geo block countries.
+
+########################################
+#	if ($allowed_country = no) {
+#	return 444;
+#	}
+#########################################
+
+# Add the following if statement inside any server context where you want to geo block cities.
+########################################
+#	if ($allowed_city = no) {
+#	return 444;
+#	}
+#########################################
+
+# Example using a config from proxy-confs
+
+#server {
+#    listen 443 ssl;
+#    listen [::]:443 ssl;
+#
+#    server_name unifi.*;
+#
+#    include /config/nginx/ssl.conf;
+#
+#    client_max_body_size 0;
+#
+#    # enable for ldap auth, fill in ldap details in ldap.conf
+#    #include /config/nginx/ldap.conf;
+#
+#    # enable for Authelia
+#    #include /config/nginx/authelia-server.conf;
+
+
+#    # Country geo block
+#    if ($allowed_country = no) {
+#       return 444;
+#    }
+
+
+#
+#    location / {
+#        # enable the next two lines for http auth
+#        #auth_basic "Restricted";
+#        #auth_basic_user_file /config/nginx/.htpasswd;
+#
+#        # enable the next two lines for ldap auth
+#        #auth_request /auth;
+#        #error_page 401 =200 /ldaplogin;
+#
+#        # enable for Authelia
+#        #include /config/nginx/authelia-location.conf;
+#
+#        include /config/nginx/proxy.conf;
+#        resolver 127.0.0.11 valid=30s;
+#        set $upstream_app unifi-controller;
+#        set $upstream_port 8443;
+#        set $upstream_proto https;
+#        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+#
+#        proxy_buffering off;
+#    }
+#}

root/defaults/nginx.conf

@@ -1,4 +1,4 @@
-## Version 2020/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
+## Version 2020/09/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
 
 user abc;
 worker_processes 4;
@@ -87,6 +87,13 @@ http {
 	include /config/nginx/site-confs/*;
 	lua_load_resty_core off;
 
+	##
+	# Geoip2 config
+	##
+	# Uncomment to add the Geoip2 configs needed to geo block countries/cities. 
+	##
+	
+	#include /config/nginx/geoip2.conf;
 }
 
 

root/etc/cont-init.d/50-config

@@ -77,6 +77,8 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
 	cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
 [[ ! -f /config/nginx/authelia-location.conf ]] && \
 	cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
+[[ ! -f /config/nginx/geoip2.conf ]] && \
+	cp /defaults/geoip2.conf /config/nginx/geoip2.conf
 
 # copy pre-generated dhparams or generate if needed
 [[ ! -f /config/nginx/dhparams.pem ]] && \