dancgn
December 10, 2024, 4:39pm
1
I try to get geoblocking working
Access denied
v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
bare metal on a raspberry 4 with DietpiOS
DietpiOS 9.8.0 ARM64 Raspberry
(mygeofilter) {
@mygeofilter {
maxmind_geolocation {
allow_countries DE
db_path /usr/share/GeoIP/GeoLite2-Country.mmdb
}
}
respond @mygeofilter "Access Denied" 403
}
my.example.de {
import cloudflare
import secure-headers
import mygeofilter
encode gzip
reverse_proxy 192.168.0.0:12345 {
transport http {
tls_insecure_skip_verify
}
}
log {
output file /var/log/caddy/dsm.access.log
format json
}
}
The plugin is installed and working. Want to “ban” all countries without germany (DE). But I’m in Germany and I didn’t got access.
Thanks for help
Bruce5051
December 10, 2024, 4:52pm
2
Hi @dancgn ,
Since that quoted above is working, but not working
You might need to check the integrity of the database, making sure DE is in it properly.
dancgn
December 10, 2024, 5:06pm
3
Of course it’s not working either. Sorry…
Check the integrity of the db? Peh, I don’t know how?!? Just downloaded from Maxmind and set a cron to update the file daily. DE seems the right code for Germany.
stbu
December 10, 2024, 5:27pm
4
Try to enable debug in global options and check log output. The maxmind matcher has debug logging statements, so this could reveal the issue.
1 Like
dancgn
December 10, 2024, 5:47pm
5
Okay, in the journal this is the only with geolocation
Dez 10 18:42:48 caddy caddy[2430921]: {"level":"debug","ts":1733852568.3902059,"logger":"http.matchers.maxmind_geolocation","msg":"Detected MaxMind data","ip":"84.44.197.76","country":"DE","subdivisions":"","metro_code":0,"asn":0}
stbu
December 10, 2024, 6:48pm
6
So the matcher will return true if the subsequent debug logs are not appearing like „Country not allowed“
}
}
err = m.dbInst.Lookup(addr, &record)
if err != nil {
m.logger.Warn("cannot lookup IP address", zap.String("address", clientIP), zap.Error(err))
return false
}
m.logger.Debug(
"Detected MaxMind data",
zap.String("ip", clientIP),
zap.String("country", record.Country.ISOCode),
zap.String("subdivisions", record.Subdivisions.CommaSeparatedISOCodes()),
zap.Int("metro_code", record.Location.MetroCode),
zap.Int("asn", record.AutonomousSystemNumber),
)
if !m.checkAllowed(record.Country.ISOCode, m.AllowCountries, m.DenyCountries) {
m.logger.Debug("Country not allowed", zap.String("country", record.Country.ISOCode))
return false
And 84.44.197.76 is your IP and you still get the 403, right?
Have a look on the example on the GitHub - porech/caddy-maxmind-geolocation: Caddy v2 module to filter requests based on source IP geolocation where the matcher is used for something positive like access to the file_server.
Your example is saying that a matching request (from country germany) should get the 403.
Try not in front of maxmind_geolocation or apply the matcher to the reverse proxy, but be aware of the directive ordering in caddyfile as respond comes before reverse proxy. A route would help for that.
3 Likes
dancgn
December 10, 2024, 6:55pm
7
Ah, now I understand! And it works with a “no” in front of maxmind_geolocation.
Thanks!
2 Likes
system
January 9, 2025, 6:56pm
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.