CountryIpFilter
The filter is experimental, backward compatibility with upcoming releases is not guaranteed.
The CountryIpFilter can be used to associate a country with each request.
The country is calculated using the requests' IP-address (both IPv4 and IPv6 addresses are supported) and a provided IP-Location database. Currently only mmdb (MaxMind Database) format is supported.
The remote IP address is usually one of the client connecting directly to nevisProxy. If there is a load balancer or similar between the frontend and nevisproxy then the apache module mod_remoteip
has to be configured via an ApacheConfigFilter. See the examples further down.
ch::nevis::nevisproxy::filter::validation::CountryIpFilter
libValidationFilters.so.1
Configuration
DbFile
Type: string
Usage Constraint: required
The path of the IP-location file. Note that currently only mmdb format is supported. The database file is downloadable here (Edition ID: "GeoLite2-Country").
The file will automatically be reloaded if the content of the configured DbFile
changes. The file modification will be checked in the interval configured under periodicity in the Timer section in the file navajo.xml.
A copy of the file will be placed into the run
directory of the configured spoolDir
in navajo.xml (usually /var/opt/nevisproxy/<instance>
). It should be removed automatically once the instance is shut down. But in case of an unexpected behavior we recommend to regularly check the run directory in order to remove those files if the instance is not running.
Rules
Type: new-line separated list of strings
Usage Constraints: optional
Syntax: <country>:<action>
Defines what action should be taken when the request is from the specified country.
The allowed country names can be found here: https://www.geonames.org/countries/
The allowed actions can be found further down.
DefaultAction
Type: enum
Usage Constraints: optional, conditional
Default: allow
Defines what action to execute when no rules were matched because either the request's country was not in the Rules list or the request's IP-address does not have an associated country.
The allowed actions can be found further down.
SetEnv
Type: boolean
Usage Constraints: optional
Default: false
When enabled the determined location can be accessed for example by a LuaFilter using req:getAttribute('geolocation')
.
Actions
The following values are supported:
- allow: Allows requests from the specified country.
- log: Creates a log entry for each request from the specified country.
- block: Blocks requests from the specified country.
Examples
Configuration example for the CountryIpFilter
The following CountryIpFilter will allow only requests coming from Austria, Germany or Switzerland:
<filter>
<filter-name>DACHOnlyCountryIpFilter</filter-name>
<filter-class>ch::nevis::nevisproxy::filter::validation::CountryIpFilter</filter-class>
<init-param>
<param-name>DbFile</param-name>
<param-value>@PKG_VAR@/@PKG_INSTANCE@/conf/country.mmdb</param-value>
</init-param>
<init-param>
<param-name>Rules</param-name>
<param-value>
Germany:allow
Switzerland:allow
Austria:allow
</param-value>
</init-param>
<init-param>
<param-name>DefaultAction</param-name>
<param-value>block</param-value>
</init-param>
</filter>
You can find a full example under /opt/nevisproxy/examples/apache_module/RestrictAccessByLocation.example
on the host where nevisproxy has been installed.
Configuration examples for the apache module mod_remoteip
If there is no other component (like a load-balancer or a proxy) between nevisproxy and the frontend, then the CountryIpFilter can be used without configuring the apache module mod_remoteip
.
If there is some component between nevisproxy and the frontend then you'll have to configure the apache module mod_remoteip
via an ApacheConfigFilter.
Usually an ApacheConfigFilter is enough:
<filter-name>ConfigureRemoteIpFilter</filter-name>
<filter-class>ch:nevis:navajo:apglue:httpd_${HTTPD_LIB_VERSION}_x:servlet:ApacheConfigFilter</filter-class>
<init-param>
<param-name>ServerConfig</param-name>
<param-value>
LoadModule remoteip_module /opt/nevisproxy/lib/libmetadata_ap_2_4.so.1
RemoteIPHeader X-Forwarded-For
</param-value>
</init-param>
You can use this configuration if you trust the component between nevisproxy and the frontend to always set the X-Forwarded-For
and never pass one which may have been set by the frontend.
To be on the safe side and avoid that malicious clients could fake their IP addresses, you can use the directive RemoteIPTrustedProxy
like this:
<filter>
<filter-name>ConfigureRemoteIpFilter</filter-name>
<filter-class>ch:nevis:navajo:apglue:httpd_${HTTPD_LIB_VERSION}_x:servlet:ApacheConfigFilter</filter-class>
<init-param>
<param-name>ServerConfig</param-name>
<param-value>
LoadModule remoteip_module /opt/nevisproxy/lib/libmetadata_ap_2_4.so.1
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 10.0.2.16/28
RemoteIPTrustedProxy proxy.example.com
</param-value>
</init-param>
</filter>
You can find a full example under /opt/nevisproxy/examples/apache_module/RestrictAccessByLocation.example
on the host where nevisproxy has been installed.
Here you can find more information about the apache module mod_remoteip
: https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html