Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
litespeed_wiki:cache:common:geoip-support [2019/01/08 19:29] Lisa Clarke [Example 1: Block wp-login.php from certainty countries] |
litespeed_wiki:cache:common:geoip-support [2019/04/17 15:05] Lisa Clarke [Out of date database caused IP not blocked] Copyediting |
||
|---|---|---|---|
| Line 26: | Line 26: | ||
| /usr/share/GeoIP/GeoLite2-Country.mmdb | /usr/share/GeoIP/GeoLite2-Country.mmdb | ||
| | | ||
| - | === Setup database file path === | + | === Set up Database File Path and Name === |
| - | In LSWS WebAdmin, configure the database location. Navigate to **Configuration > Server > General > General settings** and set **[[https://www.litespeedtech.com/docs/webserver/config/general#geolocationDB|IP to GeoLocation DB]]** to the database path. | + | In LSWS WebAdmin, configure the database location and name(Both **DB File Path** and **DB Name** are mandatory and can not be empty). Your choice of DB name is important: you must use ''COUNTRY_DB'' for a country database, and ''CITY_DB'' for a city database. Navigate to **Configuration > Server > General > General settings** and set **[[https://www.litespeedtech.com/docs/webserver/config/general#geolocationDB|IP to GeoLocation DB]]** to the database path. Then set **DB Name** to ''COUNTRY_DB'' or ''CITY_DB''. **Environment Variables** and **Notes** are optional. |
| - | Alternatively, you can edit the LSWS configuration file directly: | + | {{ :litespeed_wiki:cache:common:litespeed-enable-geoip2-11.png?800 |}} |
| + | |||
| + | {{ :litespeed_wiki:cache:common:litespeed-enable-geoip2-22.png?800 |}} | ||
| + | |||
| + | Alternately, you can edit the LSWS configuration file directly: | ||
| <code> vi /usr/local/lsws/conf/httpd_config.xml</code> | <code> vi /usr/local/lsws/conf/httpd_config.xml</code> | ||
| Line 37: | Line 41: | ||
| <geoipDB> | <geoipDB> | ||
| <geoipDBFile>/usr/share/GeoIP/GeoLite2-Country.mmdb</geoipDBFile> | <geoipDBFile>/usr/share/GeoIP/GeoLite2-Country.mmdb</geoipDBFile> | ||
| + | <geoipDBName>COUNTRY_DB</geoipDBName> | ||
| </geoipDB> | </geoipDB> | ||
| </ipToGeo> | </ipToGeo> | ||
| </code> | </code> | ||
| + | |||
| + | ==== Advanced Configuration:GEOIP2 Environment Variables ==== | ||
| + | |||
| + | The full power of GeoIP2 requires the use of environment variables in the LiteSpeed configuration. The format used is designed to be as similar as possible to the Apache ''mod_maxminddb'' environment described [[https://github.com/maxmind/mod_maxminddb|here]] ,specifically for the ''MaxMindDBEnv'' variable. Each environment variable is specified in the environment text box as one line: | ||
| + | |||
| + | * The name of the environment variable that will be exported, for example ''GEOIP_COUNTRY_NAME'' | ||
| + | * A space | ||
| + | * The logical name of the environment variable, which consists of: | ||
| + | * The name of the database as specified in the **DB Name** field as the prefix. For example, ''COUNTRY_DB'' | ||
| + | * A forward slash ''/'' | ||
| + | * The name of the field as displayed in ''mmdblookup''. For example: ''country/names/en'' | ||
| + | |||
| + | Thus the default generates: | ||
| + | |||
| + | GEOIP_COUNTRY_NAME COUNTRY_DB/country/names/en | ||
| + | |||
| + | If you wanted the country code to be displayed in Spanish, you would enter the environment variable: | ||
| + | |||
| + | GEOIP_COUNTRY_NAME COUNTRY_DB/country/names/es | ||
| + | |||
| + | Note that if a variable is used by multiple databases (for example, the default ''GEOIP_COUNTRY_NAME''), you need to override the value in the last database specified (or all databases in case they get reordered, just to be safe). | ||
| + | |||
| + | Note that ''subdivisions'' is an array and must be referenced by index (usually ''0'' or ''1''). | ||
| + | |||
| + | The default environment variables vary by database and are designed to be as similar to the legacy GeoIP environment variables as possible. | ||
| + | |||
| + | Our default list is: | ||
| + | |||
| + | "GEOIP_COUNTRY_CODE", "/country/iso_code" | ||
| + | "GEOIP_CONTINENT_CODE", "/continent/code" | ||
| + | "GEOIP_REGION", "/subdivisions/0/iso_code" | ||
| + | "GEOIP_METRO_CODE", "/location/metro_code" | ||
| + | "GEOIP_LATITUDE", "/location/latitude" | ||
| + | "GEOIP_LONGITUDE", "/location/longitude" | ||
| + | "GEOIP_POSTAL_CODE", "/postal/code" | ||
| + | "GEOIP_CITY", "/city/names/en" | ||
| + | |||
| + | You can customize the configuration to add the environment variables you want as describe above. | ||
| + | |||
| + | === Example 1 === | ||
| + | Make sure the entry name is correct. | ||
| + | |||
| + | You can add the following: | ||
| + | GEOIP_REGION_NAME CITY_DB/subdivisions/0/names/en | ||
| + | Please make sure the correct entry name is used. For example, the following is incorrect. | ||
| + | GEOIP_REGION_NAME CITY_DB/subdivisions/0/name/en | ||
| + | |||
| + | === Example 2 === | ||
| + | You can customize a name as ''MyTest_COUNTRY_CODE'', like so: | ||
| + | MyTest_COUNTRY_CODE CITY_DB/country/iso_code | ||
| + | | ||
| + | {{ :litespeed_wiki:cache:common:litespeed-geoip2-variables-e1.png?800 |}} | ||
| + | |||
| + | It will show on the ''phpinfo.php'' page as: | ||
| + | _SERVER["MyTest_COUNTRY_CODE"] US | ||
| + | ''US'' will be replaced by the country code you are visiting from, such as ''SG'' or others. | ||
| + | |||
| + | === Example 3 === | ||
| + | You can customize a name as ''MyTest2_COUNTRY_CODE'' by using a defined COUNTRY DB name ''COUNTRY_DB_20190402'' with a country database. | ||
| + | MyTest2_COUNTRY_CODE COUNTRY_DB_20190402/country/iso_code | ||
| + | {{ :litespeed_wiki:cache:common:litespeed-geoip2-variables-e2.png?800 |}} | ||
| + | It will show on the ''phpinfo.php'' page as: | ||
| + | _SERVER["MyTest2_COUNTRY_CODE"] US | ||
| + | |||
| + | === Example 4 === | ||
| + | |||
| + | You can customize all of the following: | ||
| + | HTTP_GEOIP_CITY CITY_DB/city/names/en | ||
| + | HTTP_GEOIP_POSTAL_CODE CITY_DB/postal/code | ||
| + | HTTP_GEOIP_CITY_CONTINENT_CODE CITY_DB/continent/code | ||
| + | HTTP_GEOIP_CITY_COUNTRY_CODE CITY_DB/country/iso_code | ||
| + | HTTP_GEOIP_CITY_COUNTRY_NAME CITY_DB/country/names/en | ||
| + | HTTP_GEOIP_REGION CITY_DB/subdivisions/0/iso_code | ||
| + | HTTP_GEOIP_LATITUDE CITY_DB/location/latitude | ||
| + | HTTP_GEOIP_LONGITUDE CITY_DB/location/longitude | ||
| + | |||
| + | {{ :litespeed_wiki:cache:common:litespeed-geoip2-variables-e4-1.png?600 |}} | ||
| + | |||
| + | It will show on the ''phpinfo.php'' page as: | ||
| + | _SERVER["HTTP_GEOIP_CITY"] Montville | ||
| + | _SERVER["HTTP_GEOIP_POSTAL_CODE"] 07045 | ||
| + | _SERVER["HTTP_GEOIP_CITY_CONTINENT_CODE"] NA | ||
| + | _SERVER["HTTP_GEOIP_CITY_COUNTRY_CODE"] US | ||
| + | _SERVER["HTTP_GEOIP_CITY_COUNTRY_NAME"] United States | ||
| + | _SERVER["HTTP_GEOIP_REGION"] NJ | ||
| + | _SERVER["HTTP_GEOIP_LATITUDE"] 40.90490 | ||
| + | _SERVER["HTTP_GEOIP_LONGITUDE"] -74.36460 | ||
| + | |||
| + | {{ :litespeed_wiki:cache:common:litespeed-geoip2-variables-e4-2.png?400 |}} | ||
| ==== MaxMind Legacy Database ==== | ==== MaxMind Legacy Database ==== | ||
| Line 121: | Line 215: | ||
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| ==== ''GeoIPDBFile'' directive is for Apache, not LSWS ==== | ==== ''GeoIPDBFile'' directive is for Apache, not LSWS ==== | ||
| - | In Apache, you can use ''GeoIPDBFile'' directive to define the database, however it can not be used for LiteSpeed. You should follow the beginning step of this wiki to define the databaes path from LSWS Web Admin Console or at LSWS configureation file directly. | + | In Apache, you can use ''GeoIPDBFile'' directive to define the database, however it cannot be used for LiteSpeed. You should follow the beginning steps in this wiki to define the database path from LSWS Web Admin Console or the LSWS configuration file directly. |
| - | ==== Why infinite redirect for my GeoIP rewrite Rules ==== | + | ==== GeoIP Rewrite Rules Infinite Loop ==== |
| - | A user would like to setup GeoIP rules to direct traffic to main domain's subfolder based on IPs. The following rules have been set in .htaccess, however, it seems to come to redirect loop hence claimed GeoIP was not working properly. | + | A user would like to set up GeoIP rules to direct traffic to the main domain's subfolder based on IP. The following rules have been set in .htaccess, however, it seems to cause a redirect loop. |
| RewriteEngine on | RewriteEngine on | ||
| RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^US$ | RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^US$ | ||
| Line 134: | Line 228: | ||
| RewriteRule ^(.*)$ https://www.example.com/my/$1 [R,L] | RewriteRule ^(.*)$ https://www.example.com/my/$1 [R,L] | ||
| - | If it came to a redirect loop, it means GeoIP module was actually working. How the redirect loop occurs? While for such subfolder redirect, you might need to be more careful. The reason you get a redirect error, is because the rules will be evaluated again after the redirect has been performed, so if you access ''/'' it gets redirected to e.g. ''/us'', then on ''/us'', it will be asked to redirect again to ''/us'' - and you end up with a loop. The fix is to add an additional condition to prevent this, such as ''RewriteCond %{REQUEST_URI} !^/us[NA]''. So what it does, is to only redirect to /us if country code from the GeoIP matches US and the request URI doesn't start with /us. | + | The redirect loop actually indicates the the GeoIP module is working. |
| + | |||
| + | The redirect error happens because the rules are evaluated again //after// the redirect is performed. So, if you access ''/'', and it gets redirected to e.g. ''/us'', then on ''/us'', it will be asked to redirect //again// to ''/us'' - and you end up with a loop. The fix is to add an additional condition to prevent this, such as ''RewriteCond %{REQUEST_URI} !^/us[NA]''. This way, you only redirect to ''/us'' if the country code from GeoIP matches US //and// the request URI doesn't already start with ''/us''. | ||
| The final rules should be: | The final rules should be: | ||
| Line 149: | Line 245: | ||
| RewriteRule ^(.*)$ https://www.example.com/my/$1 [R,L] | RewriteRule ^(.*)$ https://www.example.com/my/$1 [R,L] | ||
| | | ||
| - | ==== Please clarify what do you mean ''GeoIP not working''==== | + | ==== Be more specific than "GeoIP not working"==== |
| - | Quite often we received report claiming ''GeoIP not working''. It is a little vague/confused that if ''GeoIP module not working''? or ''GeoIP rewrite rules do not work as expected''? You 'd better to clarify the above first before logging any ticket. | + | Quite often we receive a report claiming that "GeoIP is not working"". This is too vague. Is the GeoIP module note working? Or are the GeoIP rewrite rules not working as expected? It's best to clarify before logging any ticket. |
| - | ''GeoIP module not working'' can be easily verified through the following (change the country code ''US'' to your country code accordingly): | + | Whether the GeoIP module is working can be easily verified through the following (change the country code ''US'' to your country code accordingly): |
| <code> | <code> | ||
| Line 162: | Line 258: | ||
| </code> | </code> | ||
| | | ||
| - | If it returns 404, then it means GeoIP module is actually working. | + | If it returns ''403 forbidden'', then it means the GeoIP module is actually working. |
| | | ||
| - | ''GeoIP rewrite rules do not work as expected" could be more complicated. You will need to check the rules to see any bug there, such as redirect loop. When needed, you can log a ticket with us with the rules set not working as expected and more detailed test example for us to take a further look. | + | GeoIP rewrite rules that do not work as expected may be more complicated. You will need to check the rules to look for issues such as a redirect loop. When needed, you can log a ticket with us. Let us know the rules set is not working as expected, and provide a more detailed test example for us to take a further look. |
| + | |||
| + | ==== IP Not Blocked Due to Out-of-date Database ==== | ||
| + | A user set up the following at ''/etc/apache2/conf.d/userdata/geoip.conf'': | ||
| + | |||
| + | <IfModule mod_geoip.c> | ||
| + | RewriteEngine on | ||
| + | RewriteCond %{ENV:GEOIP_COUNTRY_CODE} !^(GB|DK|US|IN)$ | ||
| + | RewriteRule (wp-login|xmlrpc)\.php$ - [F,L] | ||
| + | </IfModule> | ||
| + | |||
| + | Testing from an IP in NG/Nigeria/- ''x.x.x.x'', it should be blocked but it is not. | ||
| + | |||
| + | Further analysis shows the above IP belongs to North Carolina, US in the downloaded MaxMind database. It looks like the record on that old database is incorrrect. If the database is not kept up to date, it will result in incorrect information. | ||
| + | |||
| + | You can keep the database up to date from time to time manually by doing a direct download, or you can use the [[https://dev.maxmind.com/geoip/geoipupdate/|geoipupdate tool]], so your system automatically keeps the file up to date whenever MaxMind publishes an update. | ||