Home
Non-daily weblog
Exchange | Board
Files for download
Workshop tutorials
W3 Directory resourcesSetup & config options
Suitable power supply
RasPi & sFTP file transfer
Home network print server
Home network scan server
Mesh : home Lan USB drive
Explore hard & software
UFW firewall explained
Secured by fail2ban server
Software packaging & PPA
Apache 2.4+ LAMP server
https web server : port 443
Varnish caching proxy
Module : cgi & perl
Module : geoip
Modules : php & mysql
http*s error handling
Server : conditional logging
TL-domain & dynamic DNS
Webalizer log analyser
Defeat referrer spam
robots.txt & xml sitemaps
Server : .htaccess handling
The game & not the islands
Setup & config options
North Atlantic : Macaronésia
Nine Azorean islands
Madeiran archipelago
POI on Madeira island
Streaming media
Contact details
Privacy policy & terms
Host traffic elicitation🚫 No ads & tracking
The prologue
Most of the articles, descriptions and instructions written here are applicable to the most common Debian-based Linux derivatives. Depending on the respective operating system, there may be minor or major discrepancies. 
This website is for educational purposes only. Please do not deploy anything in manufacturing plants.
No warranty or compensation is given for loss of data or hardware.
It should be also mentioned that this modest web server is hosted on a Raspberry Pi type 4B at home.
The Raspberry Pi mini-computer board as multi-purpose server deployed
A competent allrounder for domestic purposes and micro-enterprises
Raspberry Pi is a series of small single-board computers (SBCs) developed in the United Kingdom by the Raspberry Pi Foundation in association with Broadcom. The mini-computer with its armv7l processor has quickly become the favourite of hobbyists. Projects can be started with suitable Linux distributions. Even an aged RasPi e.g. the models 2B and 2B+ can definitely serve to simple tasks quite well.
🌐 Prologue
GeoIP based country blocking with Apache v2.4+ web server
Today I have installed the geoip module for Apache v2.4+ via the apt install package management.
The only remaining flaw is to set up the latest and the most reliable »GeoIP.dat« file for the Raspberry Pi.
Source located in /usr/share/GeoIP/
At the moment my web server is dealing with one »GeoIP.dat« file which was created on 29-Dec 2020.
https://pkgs.org/download/geoip-database | https://mailfud.org/geoip-legacy/ (updated GeoIP db)
Especially for people who want to tinker and try something, can plunge into the world of Linux and coding.
The next days and weeks will consist with observing Apache's log files.
You have to have to look out for the Code 403 [F] - Forbidden entries.
root@raspberry:# tail -f -n +1 /var/log/apache2/access.log | cut -c -$COLUMN
04-Nov 2020
Updated 13-Jun 2022
Regularly updated GeoIP legacy databases 📂 (CC)
Provided with Creative Commons Attribution
ShareAlike 4.0 International License.
📄 GeoIP.dat.gz IPv4
Apache web server v2.4+ | GeoIP installation routine
The GeoIP apache module mod_geoip allows your system administraton to redirect or block (code 403, Forbidden) web traffic according to the geographical location. The geographical location is given via the client's IP address. All names and locations are in plain US-ASCII encoding.
user@raspberry:~ $ sudo su
root@raspberry:/home/user# apt install libapache2-mod-geoip
Download a newer version of the GeoIP database from https://mailfud.org/geoip-legacy/ (countries only, IPv4, file name GeoIP.dat.gz). Unpack and copy the file into the folder /usr/share/GeoIP/ .
Change ownership and file permissions.
root@raspberry:/home/user# cd /usr/share/GeoIP
root@raspberry:/usr/share/GeoIP# chown root:root GeoIP.dat
root@raspberry:/usr/share/GeoIP# chmod 0644 GeoIP.dat
29-Nov 2020
Updated 11-Jan 2021
Apache module »mod_geoip« | Configuration and activation
Modify the certain configuration file /etc/apache2/mods-available/geoip.conf for your needs.
root@raspberry:/home/user# nano /etc/apache2/mods-available/geoip.conf
Note : MemoryCache loads the database into the memory; faster performance but uses more memory.
Example :
<IfModule mod_geoip.c>
# For performance reasons, it's not recommended to turn GeoIP on
# serverwide, but rather only in <Location> or <Directory>
# blocks where it's actually needed.
GeoIPEnable On
GeoIPEnableUTF8 On
# The memory cache option can use a large amount of memory.
# It is recommended to use Memory Caching only for the smaller
# database files, such as GeoIP country.
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat MemoryCache
</IfModule>
And now according to .htaccess in root directory we type as possible at top of the file.
Remark : the both directives GeoIPDBFile and GeoIPEnableUTF8 are not in .htaccess.
root@raspberry:/home/user# nano /var/www/html/.htaccess
...
ServerSignature Off
...
RewriteEngine On
...
<IfModule mod_geoip.c>
GeoIPEnable On
# example for blocking a single country #
RewriteCond "%{ENV:GEOIP_COUNTRY_CODE}" "^AA$"
RewriteRule "(.*)" "-" [F]
</IfModule>
<IfModule mod_geoip.c>
# example for blocking multiple countries #
RewriteCond "%{ENV:GEOIP_COUNTRY_CODE}" "^(AA|BB|CC)$"
RewriteRule "(.*)" "-" [F]
</IfModule>
<IfModule mod_geoip.c>
# example for permission from one country only #
RewriteCond "%{ENV:GEOIP_COUNTRY_CODE}" "!^AA$"
RewriteRule "(.*)" "-" [F]
</IfModule>
<IfModule mod_geoip.c>
# example for allowing German knowing countries (not complete) #
RewriteCond "%{ENV:GEOIP_COUNTRY_CODE}" "!^(AT|CH|DK|LI|LU|NL)$"
RewriteRule "(.*)" "-" [F]
</IfModule>
...
Regarding to "^AA$" "^(AA|BB|CC)$" use exclusively UPPERCASE characters.
Country code top-level domain, short ccTLD. See https://simple.wikipedia.org/wiki/ISO_3166-1
With a weaker CPU board e.g. a RasPi Model 2B or 2B+ it is recommended not to exclude more than two countries.
Activate the module and restart the web server.
root@raspberry:/home/user# a2enmod geoip
Enabling module geoip.
To activate the new configuration, you need to run:
systemctl restart apache2
root@raspberry:/home/user# systemctl restart apache2
The apachectl -M command lists all loaded modules, those compiled-in and those that are shared.
root@raspberry:# apachectl -M
Loaded Modules:
...
env_module (shared)
...
geoip_module (shared)
...
rewrite_module (shared)
setenvif_module (shared)
...
Coming days and weeks will consist by observing Apache's log file.
root@raspberry:# tail -f -n +1 /var/log/apache2/access.log | cut -c -$COLUMN
Look out for the GET ... HTTP/1.1 403 entries and compare with e.g. https://dnslytics.com/ .
And when dnslytics.com grumbles with ...
Dear user,
Thank You for using our service. You have reached the daily page view limit.
... easiest solution : clear browser cache and cookies, obtain a new IP-address.
29-Nov 2020
Updated 03-Aug 2022
Epilogue and summary
Initial results: at first to mention, it does it's job and the results are very reliable. Some web content authors write in their blogs that the hit ratio is roundabout 98% to 99%. So it's not clear at all, because the entire W3 is a too dynamic thingy. The hit ratio is apparently greater than 95%, but certainly also less than 100%. Of course, it also depends how actual and accurate the current »GeoIP.dat« is.
Files = 0, Server usage statistics, June 2022
The accuracy is higher for smaller countries than for larger countries like Canada, China, India, Russia, U.S.A. and major parts in Europe.
09-Jan 2021
Updated 04-Jul 2022
Custom 403 error message easily made
A good idea has to let the visitor knowing what occured exactly.
Not every HTML-tag is permitted like the CSS style tags. HTML5 code rules out totally.
Watch out the quotation marks with "<html> and </html>".
root@raspberry:# nano /var/www/html/.htaccess
REMOVE ALL line breaks and white spaces after 403 " or you get the »500 Internal Server Error«.
Only the following tags are allowed.
<html> <head> <title> <body> <p> <br> <hr> <ul> <li>
ErrorDocument 403 "<html>
<head>
<title>403 Access Forbidden</title>
</head>
<body>
<br><hr><h2>403 Access Forbidden</h2>
<p>You don't have permission to access this resource.</p>
<p>There are at least seven possible reasons :</p>
<p>
<ul>
<li>Are you using an outdated web browser? <br>Upgrade your
web browser to the most recent version to improve the surf experience.</li>
<br><li>A blank User-Agent string.</li>
<li>Index file browsing is forbidden.</li>
<li>A firewall denies the permission.</li>
<li>The server's geotargeting feature does not allow any access.</li>
<li>You are not a human being, you are an unwished web-robot.</li>
<li>You come from a remote host rejected by the server configuration.</li>
</ul>
</p><br>
<p>example.com apologizes for any inconvenience.
<hr>
</body>
</html>"
08-Feb 2021
Postscript
Somehow I did come to the suspect that by blocking the CN servers, some servers in Hong Kong are involved as well. And what is further noticeable is that there are »fallback servers« in Singapore located.
08-Mar 2021
Updated 04-Jul 2022