nginx how to filter foreign proxy ip?GeoIP module configuration and blacklist settings

First, the first whole understand GeoIP module is what the hell!

Friends of the website must have encountered, some foreign proxy IP every day to crawl data, making the server wailing. This time you have to use Nginx's GeoIP module, this thing is like the IP address installed a GPS locator, can automatically identify which country visitors come from.

It's not complicated to install, first make sure the server has this module installed. In the terminal, typenginx -VIf you don't see it in the output.-with-http_geoip_moduleIf you want to install the GeoIP module, you have to recompile it and install it again. Here is a pitfall to note: GeoIP module requires supporting database files, remember to go to the official website to download the latest!GeoIP.datrespond in singingGeoIPv6.datThe

 Let's take a configuration chestnut
geoip_country /usr/share/GeoIP/GeoIP.dat;
geoip_city /usr/share/GeoIP/GeoLiteCity.dat.

server {
    if ($geoip_country_code ! ~ ^(CN|TW|HK|MO)$) {
        return 403; }
    }
}

Second, hand to teach you how to set up IP blacklisting

GeoIP alone is not enough, some proxy IPs masquerade as domestic addresses. This is the time to get ondouble insurance: Get a blacklist list in Nginx first. Create a newblock_ip.conffile, stuffing suspicious IP segments into it.

Let's say we find a U.S. proxy IP address.192.168.10.0/24The old harassment, just write that:

deny 192.168.10.0/24; deny 192.168.10.0/24;
allow all;

Then include this file in the main config file. Remember to update the blacklist weekly, recommend using ipipgo'sReal-time IP library APIAutomatically grab the latest proxy IP segments, their home data update thief fast, more than 90 million global dynamic IP are monitored.

Third, a combination of punches works best

GeoIP or blacklisting alone isn't secure enough, you have to play with thecombination of techniques. Let GeoIP filter out foreign IPs first, then use a blacklist to clean up the leaks. Here's a useful configuration template:

map $geoip_country_code $allowed_country {
    default 0;
    CN 1; TW 1; $allowed_country { default 0; CN 1
    CN 1; CN 1; TW 1; HK 1; $allowed_country { default 0
    HK 1; MO 1; $allowed_country { default 0
    MO 1; }
default 0; CN 1; TW 1; HK 1; MO 1; }

if ($allowed_country = 0) {
    if ($allowed_country = 0) {
        access_by_lua_file /path/to/ip_blacklist.lua;
    }
}

In conjunction with ipipgo'sStatic Residential Agentsservice, their 500,000+ real residential IPs are strictly audited, especially suitable for business scenarios that require stable whitelisting.

IV. Frequently Asked Questions QA

Q: What about mistakenly blocking domestic users?
A: It is recommended to start with ipipgo'sIP Location ServicesDoing a secondary calibration, their home city-level positioning accuracy can reach 97% or more.

Q: How often is the GeoIP database updated?
A: Preferably updated monthly, ipipgo offersAutomatic update scriptsIt can synchronize the global IP library changes in real time.

Q: How to prevent proxy IP rotation attacks?
A: Add an Nginxlimit_reqmodule to limit the current while using ipipgo'sDynamic IP Recognition InterfaceIt can detect 99.8% proxy IPs.

Fifth, the wall cracked recommended ipipgo masterpiece

When it comes to proxy IP management, you have to settle for ipipgo's three best tools:

1. Dynamic Residential Agents: 90 million+ real home IP pools, supporting precise screening by city. Last time there was a cross-border e-commerce buddy, using their home IP polling function, hard to bypass the anti-crawl system.

2. Static Residential Agents: 500,000+ fixed IP resources, especially suitable for scenarios that require long-term stable connections. Old iron people who do overseas live broadcasting are using it, and with their TikTok dedicated line, the live broadcasting latency can be pressed to within 200ms.

3. Intelligent Routing SystemThis black technology can automatically select the optimal network path. There is a do data capture team test, with ordinary agents to collect 100,000 pieces of data to 6 hours, replaced with ipipgo line 3 hours to get it done.

They recently came out with a newEnterprise Customized PackagesThe company also supports private deployment and exclusive channels. Friends who need large traffic business can directly find customer service to test account, remember to report the secret code "NGINX666″ can send more 5G traffic (this thing don't spread out).