Home
Newer & updated contents
Non-daily weblog

Exchange | Board

Files for download
Workshop tutorials
W3 | Directory & Wiki

Artwork : AI created

Setup & config options

Raspberry Pi first usage
Suitable power supply
RasPi & sFTP file transfer
Home network print server
Home network scan server
Mesh : home Lan USB drive
Explore hard & software
UFW firewall explained
Secured by fail2ban server
Software packaging & PPA

Apache 2.4+ LAMP server

http web server : port 80
https web server : port 443
Varnish caching proxy
Module : cgi & perl
Module : geoip
Modules : php & mysql
http*s error handling
Server : conditional logging
TL-domain & dynamic DNS
Webalizer log analyser
Defeat referrer spam
robots.txt & xml sitemaps
Server : .htaccess handling

The game & not the islands
 Setup & config options

About Windward

Improve your Firefox

Weather widget

Lat. 52.27, Long. 8.01

Meteorological service

North Atlantic : Macaronésia

Nine Azorean islands
Madeiran archipelago
POI on Madeira island
Streaming media

Off-topic media

Contact details
Privacy policy & terms
Host traffic elicitation

🚫  No ads & tracking

apache  azores  cinematique  fail2ban  firefox web browser  foss  dosboot  linux  madeira  media  portugal  raspberry pi  spam  xml sitemap  ubuntu budgie  ufw  varnish cache  weather widget  webalizer analyser  windward 

The prologue

Most of the articles, descriptions and instructions written here are applicable to the most common Debian-based Linux derivatives. Depending on the respective operating system, there may be minor or major discrepancies.
This website is for educational purposes only. Please do not deploy anything in manufacturing plants.
No warranty or compensation is given for loss of data or hardware.

It should be also mentioned that this modest web server is hosted on a Raspberry Pi type 4B at home.

The Raspberry Pi mini-computer board as multi-purpose server deployed
A competent allrounder for domestic purposes and micro-enterprises

 

Raspberry Pi is a series of small single-board computers (SBCs) developed in the United Kingdom by the Raspberry Pi Foundation in association with Broadcom. The mini-computer with its armv7l processor has quickly become the favourite of hobbyists. Projects can be started with suitable Linux distributions. Even an aged RasPi e.g. the models 2B and 2B+ can definitely serve to simple tasks quite well.

🌐  Prologue
GeoIP based country blocking with Apache v2.4+ web server

Today I have installed the geoip module for Apache v2.4+ via the apt install package management.

The only remaining flaw is to set up the latest and the most reliable »GeoIP.dat« file for the Raspberry Pi.

Source located in /usr/share/GeoIP/

At the moment my web server is dealing with one »GeoIP.dat« file which was created on 29-Dec 2020.

https://pkgs.org/download/geoip-database  |  https://mailfud.org/geoip-legacy/ (updated GeoIP db)

Especially for people who want to tinker and try something, can plunge into the world of Linux and coding.

The next days and weeks will consist with observing Apache's log files.

You have to have to look out for the Code 403 [F] - Forbidden entries.

root@raspberry:# tail -f -n +1 /var/log/apache2/access.log | cut -c -$COLUMN

04-Nov 2020

Updated 13-Jun 2022

Regularly updated GeoIP legacy databases  📂  (CC)

Provided with Creative Commons Attribution
ShareAlike 4.0 International License.

📄   GeoIP.dat.gz    IPv4

📄   The mirror site here

Apache web server v2.4+ | GeoIP installation routine

The GeoIP apache module mod_geoip allows your system administraton to redirect or block (code 403, Forbidden) web traffic according to the geographical location. The geographical location is given via the client's IP address. All names and locations are in plain US-ASCII encoding.

user@raspberry:~ $ sudo su
root@raspberry:/home/user# apt install libapache2-mod-geoip

Download a newer version of the GeoIP database from https://mailfud.org/geoip-legacy/ (countries only, IPv4, file name GeoIP.dat.gz). Unpack and copy the file into the folder /usr/share/GeoIP/ .

Change ownership and file permissions.

root@raspberry:/home/user# cd /usr/share/GeoIP
root@raspberry:/usr/share/GeoIP# chown root:root GeoIP.dat
root@raspberry:/usr/share/GeoIP# chmod 0644 GeoIP.dat

29-Nov 2020
Updated 11-Jan 2021

Apache module »mod_geoip« | Configuration and activation

Modify the certain configuration file /etc/apache2/mods-available/geoip.conf for your needs.

root@raspberry:/home/user# nano /etc/apache2/mods-available/geoip.conf

Note : MemoryCache loads the database into the memory; faster performance but uses more memory.

Example :

        <IfModule mod_geoip.c>
        # For performance reasons, it's not recommended to turn GeoIP on 
        # serverwide, but rather only in <Location> or <Directory> 
        # blocks where it's actually needed.

                GeoIPEnable On
                GeoIPEnableUTF8 On

        # The memory cache option can use a large amount of memory.
        # It is recommended to use Memory Caching only for the smaller 
        # database files, such as GeoIP country.

                GeoIPDBFile /usr/share/GeoIP/GeoIP.dat MemoryCache

        </IfModule>
	

And now according to .htaccess in root directory we type as possible at top of the file.

Remark : the both directives GeoIPDBFile and GeoIPEnableUTF8 are not in .htaccess.

root@raspberry:/home/user# nano /var/www/html/.htaccess

        ...
        ServerSignature Off
        ...
	RewriteEngine On
	...
	<IfModule mod_geoip.c>
            GeoIPEnable On
	    # example for blocking a single country #
            RewriteCond "%{ENV:GEOIP_COUNTRY_CODE}" "^AA$"
	    RewriteRule "(.*)" "-" [F]
	</IfModule>

	<IfModule mod_geoip.c>
	    # example for blocking multiple countries #
            RewriteCond "%{ENV:GEOIP_COUNTRY_CODE}" "^(AA|BB|CC)$"
	    RewriteRule "(.*)" "-" [F]
	</IfModule>

	<IfModule mod_geoip.c>
	    # example for permission from one country only #
            RewriteCond "%{ENV:GEOIP_COUNTRY_CODE}" "!^AA$"
	    RewriteRule "(.*)" "-" [F]
	</IfModule>

	<IfModule mod_geoip.c>
	    # example for allowing German knowing countries (not complete) #
            RewriteCond "%{ENV:GEOIP_COUNTRY_CODE}" "!^(AT|CH|DK|LI|LU|NL)$"
	    RewriteRule "(.*)" "-" [F]
	</IfModule>
        ...
	

Regarding to "^AA$" "^(AA|BB|CC)$" use exclusively UPPERCASE characters.
Country code top-level domain, short ccTLD. See https://simple.wikipedia.org/wiki/ISO_3166-1

With a weaker CPU board e.g. a RasPi Model 2B or 2B+ it is recommended not to exclude more than two countries.

Activate the module and restart the web server.

root@raspberry:/home/user# a2enmod geoip

        Enabling module geoip.
        To activate the new configuration, you need to run:
          systemctl restart apache2
	

root@raspberry:/home/user# systemctl restart apache2

The apachectl -M command lists all loaded modules, those compiled-in and those that are shared.

root@raspberry:# apachectl -M

         Loaded Modules:
         ...
         env_module (shared)
         ...
         geoip_module (shared)
         ...
         rewrite_module (shared)
         setenvif_module (shared)
         ...
	

Coming days and weeks will consist by observing Apache's log file.

root@raspberry:# tail -f -n +1 /var/log/apache2/access.log | cut -c -$COLUMN

Look out for the GET ... HTTP/1.1 403 entries and compare with e.g. https://dnslytics.com/ .

And when dnslytics.com grumbles with ...

Dear user,
Thank You for using our service. You have reached the daily page view limit.

... easiest solution : clear browser cache and cookies, obtain a new IP-address.

29-Nov 2020

Updated 03-Aug 2022

Epilogue and summary

Initial results: at first to mention, it does it's job and the results are very reliable. Some web content authors write in their blogs that the hit ratio is roundabout 98% to 99%. So it's not clear at all, because the entire W3 is a too dynamic thingy. The hit ratio is apparently greater than 95%, but certainly also less than 100%. Of course, it also depends how actual and accurate the current »GeoIP.dat« is.

Files = 0, Server usage statistics, June 2022

The accuracy is higher for smaller countries than for larger countries like Canada, China, India, Russia, U.S.A. and major parts in Europe.

09-Jan 2021
Updated 04-Jul 2022

Custom 403 error message easily made

A good idea has to let the visitor knowing what occured exactly.

Not every HTML-tag is permitted like the CSS style tags. HTML5 code rules out totally.

Watch out the quotation marks with "<html> and </html>".

root@raspberry:# nano /var/www/html/.htaccess

REMOVE ALL line breaks and white spaces after 403 " or you get the »500 Internal Server Error«.

Only the following tags are allowed.

<html> <head> <title> <body> <p> <br> <hr> <ul> <li>

        ErrorDocument 403 "<html>
        <head>
        <title>403 Access Forbidden</title>
        </head>
        <body>
        <br><hr><h2>403 Access Forbidden</h2>
        <p>You don't have permission to access this resource.</p>
        <p>There are at least seven possible reasons :</p>
        <p>
        <ul>
        <li>Are you using an outdated web browser? <br>Upgrade your 
        web browser to the most recent version to improve the surf experience.</li>
        <br><li>A blank User-Agent string.</li>
        <li>Index file browsing is forbidden.</li>
        <li>A firewall denies the permission.</li>
        <li>The server's geotargeting feature does not allow any access.</li>
        <li>You are not a human being, you are an unwished web-robot.</li>
        <li>You come from a remote host rejected by the server configuration.</li>
        </ul>
        </p><br>
        <p>example.com apologizes for any inconvenience.
        <hr>
        </body>
        </html>"
        

08-Feb 2021

Postscript

Somehow I did come to the suspect that by blocking the CN servers, some servers in Hong Kong are involved as well. And what is further noticeable is that there are »fallback servers« in Singapore located.

08-Mar 2021
Updated 04-Jul 2022