====== Nginx ======
===== Config reverse proxy =====
server {
listen 443;
server_name mon-domaine.com;
ssl on;
ssl_certificate /etc/nginx/ssl/mon-domaine.com.pem;
ssl_certificate_key /etc/nginx/ssl/mon-domaine.com.key;
ssl_session_cache shared:SSL:10m;
# config pour un chemin spécifique
location /mon-repertoire {
proxy_set_header Accept-Encoding "";
# sub_filter permet de modifier un texte dans le fichier html renvoyé par nginx
sub_filter_once off;
sub_filter "http://mon-url-interne/" "https://mon-url-externe.com/";
proxy_pass http://mon-server-interne/mon-repertoire;
# forcer à être en https
proxy_redirect http:// https://;
}
# config pour le reste des chemin
location / {
# pour les websocket c'est mieux de spécifier la version du proxy
proxy_http_version 1.1;
proxy_pass http://mon-server-interne:3000/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
server {
listen 80 default;
server_name test.local;
location / {
# permet de transmettre l'ip réel au serveur interne
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
# sur une certaine condition...
if ($request_body ~* ^(.*)\.test) {
proxy_pass http://www.google.de;
break;
}
root /srv/http;
}
}
===== GeoIP2 =====
Créer un compte gratuit sur https://www.maxmind.com/
apt install libnginx-mod-http-geoip2
Installation de geoipupdate pour télécharger et maintenir à jour la base de données des GeoIP
Doc → https://github.com/maxmind/geoipupdate?tab=readme-ov-file
wget https://github.com/maxmind/geoipupdate/releases/download/v7.1.0/geoipupdate_7.1.0_linux_amd64.deb
dpkg -i geoipupdate_7.1.0_linux_amd64.deb
# configuration
vi /etc/GeoIP.conf
# GeoIP.conf file for `geoipupdate` program, for versions >= 3.1.1.
# Used to update GeoIP databases from https://www.maxmind.com.
# For more information about this config file, visit the docs at
# https://dev.maxmind.com/geoip/updating-databases.
# `AccountID` is from your MaxMind account.
AccountID YOUR_ACCOUNT_ID_HERE
# `LicenseKey` is from your MaxMind account.
LicenseKey YOUR_LICENSE_KEY_HERE
# `EditionIDs` is from your MaxMind account.
# EditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country
EditionIDs GeoLite2-Country
# Run GeoIP update
geoipdate
# Télécharge la bdd ici
/usr/share/GeoIP/GeoLite2-Country.mmdb
# Ajout dans le cron
32 2 * * 1,4 /usr/bin/geoipupdate
Pour Nginx
#Fichier de config pour spécifier l'emplacement de la base de données
vi /etc/nginx/conf.d/geoip2.conf
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
auto_reload 60m;
$geoip2_data_country_code country iso_code;
}
geoip2 /usr/share/GeoIP/GeoLite2-ASN.mmdb {
auto_reload 60m;
$geoip2_data_isp autonomous_system_organization;
}
Tester
apt install mmdb-bin
mmdblookup --file /usr/share/GeoIP/GeoLite2-Country.mmdb --ip 152.65.252.11
{
"continent":
{
"code":
"EU"
"geoname_id":
6255148
"names":
{
"de":
"Europa"
"en":
"Europe"
"es":
"Europa"
"fr":
"Europe"
"ja":
"ヨーロッパ"
"pt-BR":
"Europa"
"ru":
"Европа"
"zh-CN":
"欧洲"
}
}
"country":
{
"geoname_id":
2658434
"iso_code":
"CH"
"names":
{
"de":
"Schweiz"
"en":
"Switzerland"
"es":
"Suiza"
"fr":
"Suisse"
"ja":
"スイス連邦"
"pt-BR":
"Suíça"
"ru":
"Швейцария"
"zh-CN":
"瑞士"
}
}
"registered_country":
{
"geoname_id":
6252001
"iso_code":
"US"
"names":
{
"de":
"USA"
"en":
"United States"
"es":
"Estados Unidos"
"fr":
"États Unis"
"ja":
"アメリカ"
"pt-BR":
"EUA"
"ru":
"США"
"zh-CN":
"美国"
}
}
}
Config pour restreindre par pays
server{
server_name toto.com; # managed by Certbot
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/toto.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/toto.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location /restricted_page {
if ($geoip2_data_country_code !~* "(FR|IT|CH)") {
return 403;
}
proxy_pass http://192.168.0.1:3000;
}
# Pour débugguer
#location /debug_geoip {
# default_type text/plain;
# return 200 "$remote_addr - $geoip2_data_country_code\n";
#}
access_log /var/log/nginx/access.log geoip2;
error_log /var/log/nginx/error.log debug;
}
server{
if ($host = toto.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name toto.com;
return 404; # managed by Certbot
}