Apache に GeoIP をインストール

中国や韓国による不正アクセスを防ぐために、Apache に GeoIP をインストールしてアクセスを制限する。


インストール

# dnf install mod_geoip

設定

「/etc/httpd/conf.d/geoip.conf」

<IfModule mod_geoip.c>
  GeoIPEnable On
  GeoIPDBFile /usr/share/GeoIP/GeoIP.dat
</IfModule>

<Location "/">
  Order Deny,Allow   # 拒否してから許可
  SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry  # 中国を拒否
  SetEnvIf GEOIP_COUNTRY_CODE HK BlockCountry  # 香港を拒否
  SetEnvIf GEOIP_COUNTRY_CODE KR BlockCountry  # 韓国を拒否
  SetEnvIf GEOIP_COUNTRY_CODE KP BlockCountry  # 北朝鮮を拒否
  SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry  # ロシアを拒否
  Deny from env=BlockCountry   # 指定された国を拒否
  Allow from all               # 上記以外の国を許可
</Location>

資料

Configuration
-------------

With the exception of `GeoIPEnable`, all GeoIP configuration
directives must be placed in the server-wide context of the main server
config. (Please see [Server vs Directory
context](#Server_vs_Directory_context) for a full explanation). After
installing the module, make sure that

    GeoIPEnable On

is set in your Apache configuration file or an `.htaccess` file. This
will call the GeoIP Legacy Country database from its default location
(e.g. /usr/local/share/GeoIP/GeoIP.dat)

If you want to specify options, for example to use a different database
or to pass caching options, you can use the `GeoIPDBFile` directive:

### File and Caching Directives

    GeoIPDBFile /path/to/GeoIP.dat [GeoIPFlag]

For example:

    GeoIPDBFile /usr/local/share/GeoIP/GeoIP.dat MemoryCache
    GeoIPDBFile /usr/local/share/GeoIP/GeoIPOrg.dat Standard

The default GeoIPFlag value is Standard, which does not perform any
caching, but uses the least memory. To turn on memory caching use:

    GeoIPDBFile /path/to/GeoIP.dat MemoryCache

The memory cache option can use a large amount of memory. We recommend
that you use Memory Caching only for the smaller database files, such as
GeoIP Legacy Country and GeoIP Legacy ISP.

Another MemoryCache option is MMapCache, which uses the the `mmap`
system call to map the database file into memory.

If you would like the API to check to see if your local GeoIP Legacy
files have been updated, set the `CheckCache` flag:

    GeoIPDBFile /path/to/GeoIP.dat CheckCache

Before making a call to the database, geoip will check the GeoIP.dat
file to see if it has changed. If it has, then it will reload the file.
With this option, you do not have to restart Apache when you update your
GeoIP Legacy databases.

If you would like to turn on partial memory caching, use the
`IndexCache` flag:

    GeoIPDBFile /path/to/GeoIP.dat IndexCache

The IndexCache option caches the most frequently accessed index portion
of the database, resulting in faster lookups than StandardCache, but
less memory usage than MemoryCache. This is especially useful for larger
databases such as GeoIP Legacy Organization and GeoIP Legacy City. For
the GeoIP Legacy Country, Region and Netspeed databases, setting the
IndexCache option just causes the C API to use the MemoryCache.

Currently, multiple GeoIPFlags options can not be combined.

### Enabling UTF-8 Output

You may change the output charset from ISO-8859-1 (Latin-1) to UTF-8
with this directive:

    GeoIPEnableUTF8 On

By default mod_geoip2 sets variables in both the notes table and
environment. For performance reasons you may want to set only the one
you use. To do so, use the `GeoIPOutput` configuration directive:

### Output Variable Location

    GeoIPOutput Notes   # Sets the Apache notes table only
    GeoIPOutput Env     # Sets environment variables only
    GeoIPOutput Request # Sets input headers with the geo location information
    GeoIPOutput All     # Sets all three (default behaviour)

### Proxy-Related Directives
                                                                                                                                                                                                             
By default, this module will simply look at the IP address of the
client. However, if the client is using a proxy, this will be the
address of the proxy. You can use the `GeoIPScanProxyHeaders` directive
to look at proxy-related headers.

    GeoIPScanProxyHeaders On

When this is set, the module will look at several other sources for the
IP address, in this order:

-   The `HTTP_CLIENT_IP` environment variable (set by Apache).
-   The `HTTP_X_FORWARDED_FOR` environment variable (set by Apache).
-   The `X-Forwarded-For` for header (set by a proxy).
-   The `HTTP_REMOTE_ADDR` environment variable (set by Apache).

This module will use the first IP address it finds in one of these
locations *instead* of the IP address the client connected from.

Some of these variables may contain a comma-separate list of IP
addresses (when a client goes through multiple proxies). In this case,
the default behavior is to use the first IP address. You can set the
`GeoIPUseLastXForwardedForIP` directive to use the last address instead:
                                                                                                                                                                                                                            
    GeoIPUseLastXForwardedForIP On

Or use `GeoIPUseFirstNonPrivateXForwardedForIP` to use the first non
private IP Address.

    GeoIPUseFirstNonPrivateXForwardedForIP On

Apache 2.4 users using mod_remoteip to pick the IP address of the user
should disable GeoIPScanProxyHeaders. Mod_geoip2 will use whatever
mod_remoteip provides.

    GeoIPScanProxyHeaderField FieldName

Sometimes it is useful to use another field as the source for the
client's IP address. You can set this directive to tell this module
which header to look at in order to determine the client's IP address.
Examples
--------

Here are some examples of how you can use mod_geoip2.

### Redirecting a client based on country

This example show you how to redirect a client based on the country code
that GeoIP sets.

    GeoIPEnable On
    GeoIPDBFile /path/to/GeoIP.dat

    # Redirect one country
    RewriteEngine on
    RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^CA$
    RewriteRule ^(.*)$ http://www.canada.com$1 [R,L]

    # Redirect multiple countries to a single page
    RewriteEngine on
    RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(CA|US|MX)$
    RewriteRule ^(.*)$ http://www.northamerica.com$1 [R,L]

### Blocking a client based on country

This example show you how to block clients based on the country code
that GeoIP sets.

    GeoIPEnable On
    GeoIPDBFile /path/to/GeoIP.dat

    SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
    SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
    # ... place more countries here

    Deny from env=BlockCountry

### Allowing clients based on country

This example show you how to allow only clients from specific countries.

    GeoIPEnable On
    GeoIPDBFile /path/to/GeoIP.dat

    SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
    SetEnvIf GEOIP_COUNTRY_CODE CA AllowCountry
    SetEnvIf GEOIP_COUNTRY_CODE MX AllowCountry
    # ... place more countries here

    Deny from all
    Allow from env=AllowCountry

### Server vs Directory context

All directives except GeoIPEnable are server config only, i.e., you type
it only once per server config. Otherwise the latest wins.

``` {.lang:default .decode:true}
<IfModule mod_geoip.c>
  GeoIPEnable Off
  GeoIPEnableUTF8 On
  GeoIPOutput Env
  GeoIPDBFile /usr/local/share/GeoIP/GeoIP.dat MemoryCache
  GeoIPDBFile /usr/local/share/GeoIP/GeoIPCity.dat MemoryCache
  GeoIPDBFile /usr/local/share/GeoIP/GeoIPOrg.dat MemoryCache
</IfModule>
```

GeoIPEnable is useful in server or directory context. For example:

GeoIP is only available for a specific location:

``` {.lang:default .decode:true}
<IfModule mod_geoip.c>
  GeoIPEnable Off
  GeoIPEnableUTF8 On
  GeoIPOutput Env
  GeoIPDBFile /usr/local/share/GeoIP/GeoIP.dat MemoryCache
</IfModule>

# GeoIP information is avail only inside /xxx
<Location /geoip-enabled>
  GeoIPEnable On
  ...
</Location>

<Location /other>
  ...
</Location>
```

GeoIP is available for all locations:


``` {.lang:default .decode:true}
<IfModule mod_geoip.c>
  GeoIPEnable On
  GeoIPEnableUTF8 On
  GeoIPOutput Env
  GeoIPDBFile /usr/local/share/GeoIP/GeoIP.dat MemoryCache
</IfModule>

# This doesn't work, because it's already been enabled in the server-wide
# config!
<Location /geoip-enabled>
  GeoIPEnable On
</Location>

<Location /geoip-disabled>
  GeoIPEnable Off
</Location>
```
Facebooktwitterfoursquare

1つのコメント

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です