????????前幾天，我有一個徒弟問我，如何禁止海外ip訪問他的網站系統？操作系統采用的是centos7.9，發布服務采用的是openresty。通過日志他發現，有很多類似以下數據

{"host":"172.30.7.95","clientip":"122.189.224.120","size":1818,"responsetime":2025-05-27T14:28:53,"http_host":"www.pingan.com","url":"/401.html","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36","country_code":"CN","country_name":"China","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"199.204.97.58","size":154,"responsetime":2025-05-27T14:29:01,"http_host":"_","url":"-","agent":"-","country_code":"US","country_name":"United States","city_name":"-","status":"400"}
{"host":"172.30.7.95","clientip":"122.189.224.28","size":1818,"responsetime":2025-05-27T14:29:16,"http_host":"lsw-fast.lenovo.com.cn","url":"/401.html","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36","country_code":"CN","country_name":"China","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"204.76.203.219","size":1818,"responsetime":2025-05-27T14:29:22,"http_host":"116.62.152.21","url":"/401.html","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46","country_code":"NL","country_name":"The Netherlands","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"43.133.253.253","size":1818,"responsetime":2025-05-27T14:28:48,"http_host":"www.anxundata.com","url":"/401.html","agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1","country_code":"KR","country_name":"South Korea","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"43.133.253.253","size":1818,"responsetime":2025-05-27T14:28:48,"http_host":"www.anxundata.com","url":"/401.html","agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1","country_code":"KR","country_name":"South Korea","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"42.83.147.54","size":587,"responsetime":2025-05-27T14:33:12,"http_host":"anxundata.com","url":"/index.html","agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/74.0.3729.169 Safari/537.36","country_code":"CN","country_name":"China","city_name":"-","status":"200"}
{"host":"172.30.7.95","clientip":"45.82.255.188","size":1818,"responsetime":2025-05-27T14:36:35,"http_host":"anxundata.com","url":"/401.html","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36","country_code":"CY","country_name":"Cyprus","city_name":"-","status":"401"}

? ? ? ? 我看過數據之后，直接給出答案使用geoip2模塊與GeoLite2的ip庫匹配禁止訪問就行。下面就是geoip2模塊與GeoLite2的ip庫安裝步驟(以下步驟是基于openresty已經安裝成功的操作手法)。

一、增加依賴

yum install -y geoip-devel libmaxminddb-devel

二、geoip2模塊安裝

wget https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/3.4.tar.gz #下載geoip2模塊
tar -zxf ngx_http_geoip2_module-3.4.tar.gz #解壓文件包
mv ngx_http_geoip2_module-3.4/ /usr/local/src/ngx_http_geoip2_module #將文件拷貝到指定目錄

三、下載及安裝GeoLite2的ip庫

tar -zxf GeoLite2-Country_20250523.tar.gz #將文件解壓
cd GeoLite2-Country_20250523/ #進入文件
mv GeoLite2-Country.mmdb /usr/share/GeoIP/ #將IP庫復制到GeoIP文件夾中

四、重新編譯openresty

./configure --prefix=/usr/local/openresty --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-pcre-jit --with-stream --with-http_geoip_module --add-module=/usr/local/src/ngx_http_geoip2_module
gmake && gmake install

五、修改nginx主配置

vi /usr/local/openresty/nginx/conf/nginx.conf
user www;
worker_processes 2;
worker_cpu_affinity auto;
error_log /data/nginx/error.log;
worker_rlimit_nofile 65535;
pid  /data/nginx/nginx.pid;events {worker_connections  10240;use epoll;multi_accept on;
}http {include       mime.types;geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {auto_reload 60m; #每隔60分鐘自動重載數據庫$geoip2_data_country_code country iso_code; #IP所在-國家的編碼$geoip2_data_country_name country names en; #IP所在-國家名$geoip2_data_city_name city names; #IP所在-城市名}default_type  application/octet-stream;map $time_iso8601 $logdate {'~^(?<ymd>\\d{4}-\\d{2}-\\d{2})' $ymd;default                       'date-not-found';}map $time_iso8601 $request_times {'~^(?<ymdhms>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2})' $ymdhms;default                       'date-not-found';}map $geoip2_data_country_code $allowed_country {default no; #默認禁止所有訪問CN yes; #只針對中國開放訪問權限}log_format access-upstream '{"host":"$server_addr",''"clientip":"$remote_addr",''"size":$body_bytes_sent,''"responsetime":$request_times,''"http_host":"$host",''"url":"$uri",''"agent":"$http_user_agent",''"country_code":"$geoip2_data_country_code",''"country_name":"$geoip2_data_country_name",''"city_name":"$geoip2_data_city_name",''"status":"$status"}';sendfile on;tcp_nopush on;tcp_nodelay on;server_names_hash_bucket_size 128;server_names_hash_max_size 512;keepalive_timeout  1000s;client_header_timeout 15s;client_body_timeout 15s;send_timeout 1000s;proxy_cache_path /data/nginx levels=1:2 keys_zone=nginx-cache:20m max_size=50g inactive=168h;client_body_buffer_size 512k;client_header_buffer_size 256k;client_max_body_size 1024m;large_client_header_buffers 2 8k;proxy_connect_timeout 1000s;proxy_send_timeout 1000s;proxy_read_timeout 1000s;proxy_buffer_size 128k;proxy_buffers 8 256k;proxy_busy_buffers_size 256k;proxy_temp_file_write_size 256k;proxy_next_upstream http_502 http_504 http_404 error timeout invalid_header;fastcgi_intercept_errors on;fastcgi_ignore_client_abort on;fastcgi_connect_timeout 1000s;fastcgi_send_timeout 1000s;fastcgi_read_timeout 1000s;fastcgi_buffer_size 128k;fastcgi_buffers 8 256k;fastcgi_busy_buffers_size 256k;fastcgi_temp_file_write_size 256k;gzip on;gzip_min_length 1k;gzip_buffers 4 32k;gzip_http_version 1.1;gzip_comp_level 6;gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;gzip_vary on;gzip_disable "MSIE [1-6].";include vhost/*.conf;
}

六、修改具體域名配置

location / {if ($allowed_country = no) {return 401;}index /data/wwwroot/index.html;
}

下一期將帶來openresty+lua+redis把非正常訪問的域名加入黑名單