Only certain countries can access particular route

nginx phpmyadmin

I am using nginx/1.18.0 (Ubuntu) on an Ubuntu 20.04.1 LTS machine.

I have a laravel project and phpmyadmin running.

My /etc/nginx/sites-enabled/example-application file looks like the following:

server {
    listen 80;
    server_name http://78.46.214.238/;
    root /var/www/demo_laravel_nlg-generation/public;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    # phpMyAdmin:
    location /phpmyadmin {
        root /usr/share;
        index index.php;
    }
    # PHP files for phpMyAdmin:
    location ~ ^/phpmyadmin(.+\.php)$ {
        root /usr/share;
        index index.php;
        #fastcgi_read_timeout 300;
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

}

To secure my web phpmyadmin interface I was thinking to block certain countries or even regions or allow only specific IPs from accessing my \phpmyadmin route, however my web applications should still be accessible for everyone.

Any suggestions how to do this in my /etc/nginx/sites-enabled/example-application file?

I really appreciate your replies!


Solution 1:

To allow just add this to your /etc/nginx/sites-enabled/example-application

allow   allowed.public.ip.here;
deny    all;

allowed.public.ip.here can be change to a IP (an example 1.1.1.1) or subnets IP class(an example 1.1.0.0/16 to block IP range from 1.1.0.0 to 1.1.255.255). an example:

location ~ ^/phpmyadmin(.+\.php)$ {
    allow   1.1.0.0/16;
    deny    all;
    root /usr/share;
    index index.php;
    #fastcgi_read_timeout 300;
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}

To block certain countries, you need GeoIp module. But I don't recommend it because affect the performance on low spec server. But if you want just install the Geo IP DB on your Ubuntu using below command;

apt-get install geoip-database libgeoip1

and then add this to your config:

geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allow_visit {
   default yes;
   US no;
   CA no;
}

above example is to block US n Canada.

To block region/continent you can use new DB of GeoIP, you can follow these steps but I didn't test it yet

Related

Unable to start MySQL on CentOS
raidz1 6x4TB = 16.9t?
Hands-on experience configuring a virtual network [closed]
Why does df say my EFS disk has a capacity of 8 Exabytes?
How to validate email From: address with authenticated user (prevent sender/login mismatch) in dovecot submission server?
HAProxy timeouts after 1-2 minutes of load
execute sub command within xargs
How to quickly navigate/jump between functions on emacs?
How to configure firefox built-in pdf viewer
Why does cron only offer minute granularity?
vncserver -localhost and ssh tunneling
How to ASCII-armor my public key without installing GPG?