Apache に GeoIP をインストール
中国や韓国による不正アクセスを防ぐために、Apache に GeoIP をインストールしてアクセスを制限する。
※ 現在は「mod_geoip」は「mod_maxminddb」に置き換えられました。詳しくは「Apache に MaxMind DB モジュールをインストール」をご覧下さい。
インストール
# dnf install mod_geoip
設定
「/etc/httpd/conf.d/geoip.conf」
<IfModule mod_geoip.c> GeoIPEnable On GeoIPDBFile /usr/share/GeoIP/GeoIP.dat </IfModule> <Location "/"> Order Deny,Allow # 拒否してから許可 SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry # 中国を拒否 SetEnvIf GEOIP_COUNTRY_CODE HK BlockCountry # 香港を拒否 SetEnvIf GEOIP_COUNTRY_CODE KR BlockCountry # 韓国を拒否 SetEnvIf GEOIP_COUNTRY_CODE KP BlockCountry # 北朝鮮を拒否 SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry # ロシアを拒否 Deny from env=BlockCountry # 指定された国を拒否 Allow from all # 上記以外の国を許可 </Location>
資料
Configuration
-------------
With the exception of `GeoIPEnable`, all GeoIP configuration
directives must be placed in the server-wide context of the main server
config. (Please see [Server vs Directory
context](#Server_vs_Directory_context) for a full explanation). After
installing the module, make sure that
GeoIPEnable On
is set in your Apache configuration file or an `.htaccess` file. This
will call the GeoIP Legacy Country database from its default location
(e.g. /usr/local/share/GeoIP/GeoIP.dat)
If you want to specify options, for example to use a different database
or to pass caching options, you can use the `GeoIPDBFile` directive:
### File and Caching Directives
GeoIPDBFile /path/to/GeoIP.dat [GeoIPFlag]
For example:
GeoIPDBFile /usr/local/share/GeoIP/GeoIP.dat MemoryCache
GeoIPDBFile /usr/local/share/GeoIP/GeoIPOrg.dat Standard
The default GeoIPFlag value is Standard, which does not perform any
caching, but uses the least memory. To turn on memory caching use:
GeoIPDBFile /path/to/GeoIP.dat MemoryCache
The memory cache option can use a large amount of memory. We recommend
that you use Memory Caching only for the smaller database files, such as
GeoIP Legacy Country and GeoIP Legacy ISP.
Another MemoryCache option is MMapCache, which uses the the `mmap`
system call to map the database file into memory.
If you would like the API to check to see if your local GeoIP Legacy
files have been updated, set the `CheckCache` flag:
GeoIPDBFile /path/to/GeoIP.dat CheckCache
Before making a call to the database, geoip will check the GeoIP.dat
file to see if it has changed. If it has, then it will reload the file.
With this option, you do not have to restart Apache when you update your
GeoIP Legacy databases.
If you would like to turn on partial memory caching, use the
`IndexCache` flag:
GeoIPDBFile /path/to/GeoIP.dat IndexCache
The IndexCache option caches the most frequently accessed index portion
of the database, resulting in faster lookups than StandardCache, but
less memory usage than MemoryCache. This is especially useful for larger
databases such as GeoIP Legacy Organization and GeoIP Legacy City. For
the GeoIP Legacy Country, Region and Netspeed databases, setting the
IndexCache option just causes the C API to use the MemoryCache.
Currently, multiple GeoIPFlags options can not be combined.
### Enabling UTF-8 Output
You may change the output charset from ISO-8859-1 (Latin-1) to UTF-8
with this directive:
GeoIPEnableUTF8 On
By default mod_geoip2 sets variables in both the notes table and
environment. For performance reasons you may want to set only the one
you use. To do so, use the `GeoIPOutput` configuration directive:
### Output Variable Location
GeoIPOutput Notes # Sets the Apache notes table only
GeoIPOutput Env # Sets environment variables only
GeoIPOutput Request # Sets input headers with the geo location information
GeoIPOutput All # Sets all three (default behaviour)
### Proxy-Related Directives
By default, this module will simply look at the IP address of the
client. However, if the client is using a proxy, this will be the
address of the proxy. You can use the `GeoIPScanProxyHeaders` directive
to look at proxy-related headers.
GeoIPScanProxyHeaders On
When this is set, the module will look at several other sources for the
IP address, in this order:
- The `HTTP_CLIENT_IP` environment variable (set by Apache).
- The `HTTP_X_FORWARDED_FOR` environment variable (set by Apache).
- The `X-Forwarded-For` for header (set by a proxy).
- The `HTTP_REMOTE_ADDR` environment variable (set by Apache).
This module will use the first IP address it finds in one of these
locations *instead* of the IP address the client connected from.
Some of these variables may contain a comma-separate list of IP
addresses (when a client goes through multiple proxies). In this case,
the default behavior is to use the first IP address. You can set the
`GeoIPUseLastXForwardedForIP` directive to use the last address instead:
GeoIPUseLastXForwardedForIP On
Or use `GeoIPUseFirstNonPrivateXForwardedForIP` to use the first non
private IP Address.
GeoIPUseFirstNonPrivateXForwardedForIP On
Apache 2.4 users using mod_remoteip to pick the IP address of the user
should disable GeoIPScanProxyHeaders. Mod_geoip2 will use whatever
mod_remoteip provides.
GeoIPScanProxyHeaderField FieldName
Sometimes it is useful to use another field as the source for the
client's IP address. You can set this directive to tell this module
which header to look at in order to determine the client's IP address.
Examples
--------
Here are some examples of how you can use mod_geoip2.
### Redirecting a client based on country
This example show you how to redirect a client based on the country code
that GeoIP sets.
GeoIPEnable On
GeoIPDBFile /path/to/GeoIP.dat
# Redirect one country
RewriteEngine on
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^CA$
RewriteRule ^(.*)$ http://www.canada.com$1 [R,L]
# Redirect multiple countries to a single page
RewriteEngine on
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(CA|US|MX)$
RewriteRule ^(.*)$ http://www.northamerica.com$1 [R,L]
### Blocking a client based on country
This example show you how to block clients based on the country code
that GeoIP sets.
GeoIPEnable On
GeoIPDBFile /path/to/GeoIP.dat
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
# ... place more countries here
Deny from env=BlockCountry
### Allowing clients based on country
This example show you how to allow only clients from specific countries.
GeoIPEnable On
GeoIPDBFile /path/to/GeoIP.dat
SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE CA AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE MX AllowCountry
# ... place more countries here
Deny from all
Allow from env=AllowCountry
### Server vs Directory context
All directives except GeoIPEnable are server config only, i.e., you type
it only once per server config. Otherwise the latest wins.
``` {.lang:default .decode:true}
<IfModule mod_geoip.c>
GeoIPEnable Off
GeoIPEnableUTF8 On
GeoIPOutput Env
GeoIPDBFile /usr/local/share/GeoIP/GeoIP.dat MemoryCache
GeoIPDBFile /usr/local/share/GeoIP/GeoIPCity.dat MemoryCache
GeoIPDBFile /usr/local/share/GeoIP/GeoIPOrg.dat MemoryCache
</IfModule>
```
GeoIPEnable is useful in server or directory context. For example:
GeoIP is only available for a specific location:
``` {.lang:default .decode:true}
<IfModule mod_geoip.c>
GeoIPEnable Off
GeoIPEnableUTF8 On
GeoIPOutput Env
GeoIPDBFile /usr/local/share/GeoIP/GeoIP.dat MemoryCache
</IfModule>
# GeoIP information is avail only inside /xxx
<Location /geoip-enabled>
GeoIPEnable On
...
</Location>
<Location /other>
...
</Location>
```
GeoIP is available for all locations:
``` {.lang:default .decode:true}
<IfModule mod_geoip.c>
GeoIPEnable On
GeoIPEnableUTF8 On
GeoIPOutput Env
GeoIPDBFile /usr/local/share/GeoIP/GeoIP.dat MemoryCache
</IfModule>
# This doesn't work, because it's already been enabled in the server-wide
# config!
<Location /geoip-enabled>
GeoIPEnable On
</Location>
<Location /geoip-disabled>
GeoIPEnable Off
</Location>
```
[…] ※ このモジュールは「Apache に GeoIP をインストール」の置き換えです。 […]