Only certain countries can access particular route

I am using nginx/1.18.0 (Ubuntu) on an Ubuntu 20.04.1 LTS machine.

I have a laravel project and phpmyadmin running.

My /etc/nginx/sites-enabled/example-application file looks like the following:

server {
    listen 80;
    server_name http://78.46.214.238/;
    root /var/www/demo_laravel_nlg-generation/public;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    # phpMyAdmin:
    location /phpmyadmin {
        root /usr/share;
        index index.php;
    }
    # PHP files for phpMyAdmin:
    location ~ ^/phpmyadmin(.+\.php)$ {
        root /usr/share;
        index index.php;
        #fastcgi_read_timeout 300;
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

}

To secure my web phpmyadmin interface I was thinking to block certain countries or even regions or allow only specific IPs from accessing my \phpmyadmin route, however my web applications should still be accessible for everyone.

Any suggestions how to do this in my /etc/nginx/sites-enabled/example-application file?

I really appreciate your replies!


Solution 1:

To allow just add this to your /etc/nginx/sites-enabled/example-application

allow   allowed.public.ip.here;
deny    all;

allowed.public.ip.here can be change to a IP (an example 1.1.1.1) or subnets IP class(an example 1.1.0.0/16 to block IP range from 1.1.0.0 to 1.1.255.255). an example:

location ~ ^/phpmyadmin(.+\.php)$ {
    allow   1.1.0.0/16;
    deny    all;
    root /usr/share;
    index index.php;
    #fastcgi_read_timeout 300;
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}

To block certain countries, you need GeoIp module. But I don't recommend it because affect the performance on low spec server. But if you want just install the Geo IP DB on your Ubuntu using below command;

apt-get install geoip-database libgeoip1 

and then add this to your config:

geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allow_visit {
   default yes;
   US no;
   CA no;
}

above example is to block US n Canada.

To block region/continent you can use new DB of GeoIP, you can follow these steps but I didn't test it yet