Nextcloud more secure using geoip (NGINX)



Many users asked for the NGINX geoip configuration i made earlier. Although e.g. VPN or TOR could bypass geoip blocking i decided to post a new guide. So following this guide you will be able to secure your Nextcloud server by using geoip in only few steps.


First ensure having the NGINX repository enabled in the apt sources:

sudo -s
vi /etc/apt/sources.list

and search for an entry like “deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx”. If not enabled yet do it by

sed -i '$adeb http://nginx.org/packages/mainline/ubuntu/ xenial nginx' /etc/apt/sources.list
wget http://nginx.org/keys/nginx_signing.key && apt-key add nginx_signing.key

and mark NGINX to ‘unhold’ for further updates

apt-mark unhold nginx

Update your server and install the necessary module for NGINX by issuing

apt update && apt upgrade -y && apt install nginx-module-geoip -y

The modules will be downloaded to your server and have to be propagated to NGINX later. Create a new folder to store the geoip-data into

mkdir /etc/nginx/geoip

Change into that directory and issue

cd /etc/nginx/geoip
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
gunzip GeoIP.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz

Now all geoip-data are stored as needed. Ammend NGINX fastcgi_params

vi /etc/nginx/fastcgi_params

and add

fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;

In addition ammend the proxy.conf either

vi /etc/nginx/proxy.conf

and add

proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;

Finally we will modify the nginx.conf and the vhost to participate from geoip filtering
(vhost: gateway.conf or nextcloud.conf, it depends on NGINX is acting whether as a reverse proxy or a default webserver):

vi /etc/nginx/nginx.conf

Add the red ones. We set examplarily “default no” and “DE yes” that implicits nobody may connect to our Nextcloud, except germans who are explicity allowed.

user www-data;
worker_processes auto;
load_module modules/ngx_http_geoip_module.so;
load_module modules/ngx_stream_geoip_module.so;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
geoip_country /etc/nginx/geoip/GeoIP.dat;
geoip_city /etc/nginx/geoip/GeoLiteCity.dat;
map $geoip_country_code $allowed_country {
default no;
DE yes;
}
...
}

Now modify  the vhost file

  • EITHER for NGINX acting as a reverse proxy webserver:
vi /etc/nginx/conf.d/gateway.conf
server {
listen 80 default_server;
server_name your.dedyn.io;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2 default_server;
server_name your.dedyn.io;
include /etc/nginx/ssl.conf;
include /etc/nginx/header.conf;
if ($allowed_country = no) {
return 403; # or: return 301 https://www.google.com;
}
...
  • OR for NGINX acting as a default, non-reverse proxy webserver
vi /etc/nginx/conf.d/nextcloud.conf
server {
server_name your.dedyn.io;
listen 80 default_server;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name your.dedyn.io;
listen 443 ssl http2 default_server;
root /var/www/nextcloud/;
if ($allowed_country = no) {
return 403; # or: return 301 https://www.google.com;
}
...

Verify your NGINX  configuration

nginx -t

and if no errors appear restart your webserver by

service php7.2-fpm restart && service nginx restart

Your Webserver will now respond with an error code 403 or a redirect to all client requests coming from outside germany or your defined countries.



Carsten Rieger