ERPNext - Country wise restriction using Nginx and GeoIP2

ERPNext - Country wise restriction using Nginx and GeoIP2 As hackers are trying everyday to attack systems around the world, we all want to protect the systems without giving any chance to the them

 · 2 min read

Excellent Ways to Enhance and Secure Border Checkpoints | Gatekeeper  Security


ERPNext - Country wise restriction using Nginx and GeoIP2


As hackers are trying everyday to attack systems around the world, we all want to protect the systems without giving any chance to the the intruders. We have already have articles and videos here about many steps you need to take for protection. But one of the best is allow access from the required countries only.


As most of the attacks comes to Saudi Arabia and other gulf countries coming from outside, it is better we stop any access from outside the region. And if any company needs to access the system from any particular country out of the region, we can open that specific country only. This is one method we adopt for all our ERPNext servers in Saudi Arabia, Kuwait, Dubai, Bahrain and Qatar


See the technical details below.



This guide is applicable for Ubuntu 22+ and Nginx 1.18+  .

Make sure you have a folder called **-mod-http-geoip2.conf  under /etc/nginx/module-enabled  ( if you dont have you need to install a dynamic module of GoIP2 for Nginx , please contact our support )


1- Get the GeIP2 file first

wget -O /usr/share/GeoIP/GeoLite2-Country.mmdb https://git.io/GeoLite2-Country.mmdb


2- Edit the file /etc/nginx/nginx.conf and add following lines ( inside http )



vim /etc/nginx/nginx.conf


geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {

         $geoip2_data_continent_code   continent code;

         $geoip2_data_country_iso_code country iso_code;


3- Edit /etc/nginx/conf.d/your-configuration-file.conf


vim /etc/nginx/conf.d/your-configuration-file.conf


map $geoip2_data_country_iso_code $allowed_country {

 default no;

 QA yes;

 SA yes;

 KW yes;

 AE yes;

 OM yes;

 BH yes;

 '' yes;  # ( for unlisted IP )


}


geo $exclusions {


       default 0;


       78.78.8.0/24 1;  # Any IP or block you want to exlude from blocking


   }

4- On the same above file , but insde server part


  if ($allowed_country = yes) {

   set $exclusions 1;

}

       if ($exclusions = "0") {

       return 503;

   }


Thats it

-------------------


Testing country IP


mmdblookup is the tool for testing ( if you dont have the same, install it - apt-get install mmdb-bin )


mmdblookup --file /usr/share/GeoIP/GeoLite2-Country.mmdb --ip 212.77.192.59


------------------

Script for updating new IP addressess , every 20 days


crontab -e

0 0 */20 * * root wget -O /usr/share/GeoIP/GeoLite2-Country.mmdb https://git.io/GeoLite2-Country.mmdb



Country code for Gulf countries

QA  Qatar ;

SA Saudi Arabia KSA;

KW Kuwait;

AE United Arab Emirates UAE;

OM Oman ;

BH Bahrain;

Commonly companies in this region need India ( IN )

Published on
Cloud support

Cloud support team provides hosting related support and technology updates. Cover technology like cloud printing, Cloud PBAX, VoIP, Kubernetes, Ubuntu, Linux etc. Contact us on support@ERPGulf.com

No comments yet

No comments yet. Start a new discussion.

Add Comment