Nginx

server  {
  listen 443;
  server_name mon-domaine.com;
  ssl on;
  ssl_certificate /etc/nginx/ssl/mon-domaine.com.pem;
  ssl_certificate_key /etc/nginx/ssl/mon-domaine.com.key;
  ssl_session_cache shared:SSL:10m;
 
# config pour un chemin spécifique
  location  /mon-repertoire {
     proxy_set_header Accept-Encoding "";
# sub_filter permet de modifier un texte dans le fichier html renvoyé par nginx
     sub_filter_once off;
     sub_filter "http://mon-url-interne/" "https://mon-url-externe.com/";
     proxy_pass  http://mon-server-interne/mon-repertoire;
# forcer à être en https
     proxy_redirect http:// https://;
  }
 
# config pour le reste des chemin
  location / {
  # pour les websocket c'est mieux de spécifier la version du proxy
    proxy_http_version 1.1;
 
    proxy_pass  http://mon-server-interne:3000/;
    proxy_set_header    Upgrade $http_upgrade;
    proxy_set_header    Connection $connection_upgrade;
  }
}

server {
    listen 80 default;
    server_name test.local;
 
    location / {
    # permet de transmettre l'ip réel au serveur interne
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
 
    # sur une certaine condition...
        if ($request_body ~* ^(.*)\.test) {
            proxy_pass http://www.google.de;
            break;
        }
 
        root /srv/http;
    }
 
}

Créer un compte gratuit sur https://www.maxmind.com/

apt install libnginx-mod-http-geoip2

Installation de geoipupdate pour télécharger et maintenir à jour la base de données des GeoIP

Doc → https://github.com/maxmind/geoipupdate?tab=readme-ov-file

wget https://github.com/maxmind/geoipupdate/releases/download/v7.1.0/geoipupdate_7.1.0_linux_amd64.deb
dpkg -i geoipupdate_7.1.0_linux_amd64.deb

# configuration
vi /etc/GeoIP.conf

# GeoIP.conf file for `geoipupdate` program, for versions >= 3.1.1.
# Used to update GeoIP databases from https://www.maxmind.com.
# For more information about this config file, visit the docs at
# https://dev.maxmind.com/geoip/updating-databases.

# `AccountID` is from your MaxMind account.
AccountID YOUR_ACCOUNT_ID_HERE

# `LicenseKey` is from your MaxMind account.
LicenseKey YOUR_LICENSE_KEY_HERE

# `EditionIDs` is from your MaxMind account.
# EditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country
EditionIDs GeoLite2-Country 

# Run GeoIP update
geoipdate

# Télécharge la bdd ici
/usr/share/GeoIP/GeoLite2-Country.mmdb

# Ajout dans le cron
32 2 * * 1,4 /usr/bin/geoipupdate

Pour Nginx

#Fichier de config pour spécifier l'emplacement de la base de données
vi /etc/nginx/conf.d/geoip2.conf

geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
    auto_reload 60m;
    $geoip2_data_country_code country iso_code;
}

geoip2 /usr/share/GeoIP/GeoLite2-ASN.mmdb {
    auto_reload 60m;
    $geoip2_data_isp autonomous_system_organization;
}

Tester

apt install mmdb-bin

mmdblookup --file /usr/share/GeoIP/GeoLite2-Country.mmdb --ip 152.65.252.11

  {
    "continent": 
      {
        "code": 
          "EU" <utf8_string>
        "geoname_id": 
          6255148 <uint32>
        "names": 
          {
            "de": 
              "Europa" <utf8_string>
            "en": 
              "Europe" <utf8_string>
            "es": 
              "Europa" <utf8_string>
            "fr": 
              "Europe" <utf8_string>
            "ja": 
              "ヨーロッパ" <utf8_string>
            "pt-BR": 
              "Europa" <utf8_string>
            "ru": 
              "Европа" <utf8_string>
            "zh-CN": 
              "欧洲" <utf8_string>
          }
      }
    "country": 
      {
        "geoname_id": 
          2658434 <uint32>
        "iso_code": 
          "CH" <utf8_string>
        "names": 
          {
            "de": 
              "Schweiz" <utf8_string>
            "en": 
              "Switzerland" <utf8_string>
            "es": 
              "Suiza" <utf8_string>
            "fr": 
              "Suisse" <utf8_string>
            "ja": 
              "スイス連邦" <utf8_string>
            "pt-BR": 
              "Suíça" <utf8_string>
            "ru": 
              "Швейцария" <utf8_string>
            "zh-CN": 
              "瑞士" <utf8_string>
          }
      }
    "registered_country": 
      {
        "geoname_id": 
          6252001 <uint32>
        "iso_code": 
          "US" <utf8_string>
        "names": 
          {
            "de": 
              "USA" <utf8_string>
            "en": 
              "United States" <utf8_string>
            "es": 
              "Estados Unidos" <utf8_string>
            "fr": 
              "États Unis" <utf8_string>
            "ja": 
              "アメリカ" <utf8_string>
            "pt-BR": 
              "EUA" <utf8_string>
            "ru": 
              "США" <utf8_string>
            "zh-CN": 
              "美国" <utf8_string>
          }
      }
  }

Config pour restreindre par pays

server{
    server_name toto.com; # managed by Certbot
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/toto.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/toto.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location /restricted_page {
	if ($geoip2_data_country_code !~* "(FR|IT|CH)") {
	    return 403;
	}
	proxy_pass http://192.168.0.1:3000;

    }


    # Pour débugguer
    #location /debug_geoip {
    #    default_type text/plain;
    #    return 200 "$remote_addr - $geoip2_data_country_code\n";
    #}

    access_log /var/log/nginx/access.log geoip2;
    error_log /var/log/nginx/error.log debug;
}
server{
    if ($host = toto.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80 ;
    listen [::]:80 ;
    server_name toto.com;
    return 404; # managed by Certbot
}