Skip to main content
Version: 8.2405.x.x RR

CountryIpFilter

Experimantal

The filter is experimental, backward compatibility with upcoming releases is not guaranteed.

The CountryIpFilter can be used to associate a country with each request.

The country is calculated using the requests' IP-address (both IPv4 and IPv6 addresses are supported) and a provided IP-Location database. Currently only mmdb (MaxMind Database) format is supported.

The remote IP address is usually one of the client connecting directly to nevisProxy. If there is a load balancer or similar between the frontend and nevisproxy then the apache module mod_remoteip has to be configured via an ApacheConfigFilter. See the examples further down.

Classname
ch::nevis::nevisproxy::filter::validation::CountryIpFilter
Library
libValidationFilters.so.1

Configuration

DbFile

  • Type: string
  • Usage Constraint: required

The path of the IP-location file. Note that currently only mmdb format is supported. The database file is downloadable here (Edition ID: "GeoLite2-Country").

The file will automatically be reloaded if the content of the configured DbFile changes. The file modification will be checked in the interval configured under periodicity in the Timer section in the file navajo.xml.

A copy of the file will be placed into the run directory of the configured spoolDir in navajo.xml (usually /var/opt/nevisproxy/<instance>). It should be removed automatically once the instance is shut down. But in case of an unexpected behavior we recommend to regularly check the run directory in order to remove those files if the instance is not running.

Rules

  • Type: new-line separated list of strings
  • Usage Constraints: optional
  • Syntax: <country>:<action>

Defines what action should be taken when the request is from the specified country.

The allowed country names can be found here: https://www.geonames.org/countries/
The allowed actions can be found further down.

DefaultAction

  • Type: enum
  • Usage Constraints: optional
  • Default: allow

Defines what action to execute when no rules were matched because either the request's country was not in the Rules list or the request's IP-address does not have an associated country.
The allowed actions can be found further down.

SetEnv

  • Type: boolean
  • Usage Constraints: optional
  • Default: false

When enabled the determined location can be accessed for example by a LuaFilter using req:getAttribute('geolocation').

Actions

The following values are supported:

  • allow: Allows requests from the specified country.
  • log: Creates a log entry for each request from the specified country.
  • block: Blocks requests from the specified country.

Examples

Configuration example for the CountryIpFilter

The following CountryIpFilter will allow only requests coming from Austria, Germany or Switzerland:

<filter>
    <filter-name>DACHOnlyCountryIpFilter</filter-name>
    <filter-class>ch::nevis::nevisproxy::filter::validation::CountryIpFilter</filter-class>
    <init-param>
        <param-name>DbFile</param-name>
        <param-value>@PKG_VAR@/@PKG_INSTANCE@/conf/country.mmdb</param-value>
    </init-param>
    <init-param>
        <param-name>Rules</param-name>
        <param-value>
            Germany:allow
            Switzerland:allow
            Austria:allow
        </param-value>
    </init-param>
    <init-param>
        <param-name>DefaultAction</param-name>
        <param-value>block</param-value>
    </init-param>
</filter>

You can find a full example under /opt/nevisproxy/examples/apache_module/RestrictAccessByLocation.example on the host where nevisproxy has been installed.

Configuration examples for the apache module mod_remoteip

If there is no other component (like a load-balancer or a proxy) between nevisproxy and the frontend, then the CountryIpFilter can be used without configuring the apache module mod_remoteip.

If there is some component between nevisproxy and the frontend then you'll have to configure the apache module mod_remoteipvia an ApacheConfigFilter.

Usually an ApacheConfigFilter is enough:

    <filter-name>ConfigureRemoteIpFilter</filter-name>
    <filter-class>ch:nevis:navajo:apglue:httpd_${HTTPD_LIB_VERSION}_x:servlet:ApacheConfigFilter</filter-class>
    
    <init-param>
        <param-name>ServerConfig</param-name>
        <param-value>
            LoadModule remoteip_module /opt/nevisproxy/lib/libmetadata_ap_2_4.so.1
            RemoteIPHeader X-Forwarded-For
        </param-value>
    </init-param>

You can use this configuration if you trust the component between nevisproxy and the frontend to always set the X-Forwarded-For and never pass one which may have been set by the frontend.

To be on the safe side and avoid that malicious clients could fake their IP addresses, you can use the directive RemoteIPTrustedProxy like this:

<filter>
    <filter-name>ConfigureRemoteIpFilter</filter-name>
    <filter-class>ch:nevis:navajo:apglue:httpd_${HTTPD_LIB_VERSION}_x:servlet:ApacheConfigFilter</filter-class>
    
    <init-param>
        <param-name>ServerConfig</param-name>
        <param-value>
            LoadModule remoteip_module /opt/nevisproxy/lib/libmetadata_ap_2_4.so.1
            RemoteIPHeader X-Forwarded-For
            RemoteIPTrustedProxy 10.0.2.16/28
            RemoteIPTrustedProxy proxy.example.com
        </param-value>
    </init-param>
</filter>

You can find a full example under /opt/nevisproxy/examples/apache_module/RestrictAccessByLocation.example on the host where nevisproxy has been installed.

Here you can find more information about the apache module mod_remoteip: https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html