nginx TCP forwarding with GeoIP

CentOS 7.8

nginx version: nginx/1.18.0

yum install nginx-module-geoip

yum install GeoIP GeoIP-data

Then, GeoIO runs well with HTTP(S).

I need nginx to forward a TCP port, which is only open to CN add to nginx.conf

stream {
    geoip_country /usr/share/GeoIP/GeoIP.dat;
    log_format proxy '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    access_log /var/log/nginx/tcp-access.log proxy ;
    open_log_file_cache off;
    include tcpconf.d/*.conf;
}

xxxx.com.conf

server {
    listen   11111;
 
    proxy_pass  127.0.0.1:31688;
}

Forwarding 11111 to 31688 works OK.

add to server{

restart error

Solution 1:

Your problem is with "if", which you should avoid as much as possible. Have a look at eg. nginx config example for another way.

There, a map is used to test the country code. A very simple version would be:

map $geoip_country_code $allow_visit {
    default no;
    CN yes;
    BE yes;
}
 
server{
  if ($allow_visit = no) {
    return 403;
  }
}

But this can't be used by stream, since "if" is part of the http_rewrite module. See eg. if in stream. I tried the following construct with success:

http {
  server {
    listen 9998;
    return 403;
  }
}

stream {
  geoip_country         /usr/share/GeoIP/GeoIP.dat;
  map $geoip_country_code $be_server {
    BE   127.0.0.1:9997;
    default 127.0.0.1:9998;

  }
  server {
    listen 9999;
    proxy_pass  $be_server;
  }
  server {
    listen 9997;
    proxy_pass 127.0.0.1:8889;
  }
}

Only requests from Belgium are allowed.