如何仅使用反向代理实现 nginx geoip 模块

Question

This is nginx 1.19.5 I have reverse proxy server where I am hosting around 20 sites behind nginx reverse proxy server. This reverse proxy server only used for reverse proxy purpose and no local web server is running on it.

I need to implement geoip blocking but what I understood from the document is

map $geoip_country_code $allowed_country

variable to has to be set in http section and then

if ($allowed_country = no) {
  return 444;
  }

Can be called in server section. This is fine if I am hosting one site what if in case of mutiple sites? In this case suppose

siteA.exampe.com need to have access blocked from CN While siteB.example.com needs to have access allowed from CN

How do I achieve it?

Answer 1

I have a great answer about why map is in the http context only:

DR;TL Variables in NGINX are always global and once defined accessable from anywhere in the configration. Therfore it would not make any sense to define a map in a server or location block.

nginx map directive: why is it allowed only on http level?

So that saying regardless where your map is loacted the value of $allowed_country will be assigned once you access to variable. So its totally fine to have the map on the server level and do the checks in your server or location blocks.

I would use another map having server_names and a list of blocked countries. Then a little njs-function can take care of the check if the country from geo-ip is allowed or not.

Just remember: If is evil. Use it carefully:

https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/