Geo-blocking with SWAG

SWAG can support MaxMind databases which are used to provide IP Geolocation and Online Fraud Prevention. It was initially tougher to setup but since end of 2021, it's now integrated through Linuxserver mods system. Let's dig into it!

Geo-blocking with SWAG

We talked about SWAG, SWAG Dashboard and more recently how to integrate CrowdSec into SWAG, let's talk about how to do some Geo-blocking with SWAG.

Setup SWAG to safely expose your self-hosted applications to the internet
SWAG is a rebirth of letsencrypt docker image, a full fledged web server and reverse proxy that includes Nginx, Php7, Certbot (Let’s Encrypt client) and Fail2ban.

SWAG can support MaxMind databases which are used to provide IP Geolocation and Online Fraud Prevention. It was initially tougher to setup but since end of 2021, it's now integrated through Linuxserver mods system, so let me guide you into it!

Setup the mod

  1. First of all, you need to create an account on MaxMind to get a free license key, mandatory to get access to their databases. Sign up to their GeoLite2 service, it's pretty straightforward
  2. When you have the key, modify your SWAG docker-compose.yml file to add the MaxMind mod through an environment variable like this: DOCKER_MODS=linuxserver/mods:swag-maxmind
    If you already have mods, ensure they are separated by |, such as DOCKER_MODS=linuxserver/mods:swag-dashboard|linuxserver/mods:swag-crowdsec|linuxserver/mods:swag-maxmind
  3. Add another environment variable MAXMINDDB_LICENSE_KEY=<license-key> and include your license key into it
  4. Restart your container with docker compose up -d to apply the changes
  5. Configure nginx to load the maxmind configuration file by adding the line below in the http section of /config/nginx/nginx.conf.
include /config/nginx/maxmind.conf;
Line to add into /config/nginx/nginx.conf http section

The setup is now ready!

Manage whitelist and blocklist

You can manage your whitelist and blocklist per country by editing /config/nginx/maxmind.conf with your favorite text editor, you have to enter the ISO code of the country followed by yes or no .

map $geoip2_data_country_iso_code $geo-whitelist {
    default no;
    UK yes;
}

map $geoip2_data_country_iso_code $geo-blacklist {
    default yes;
    US no;
}
/config/nginx/maxmind.conf

Apply to your definitions

To use your whitelist and blocklist, you need to include these few lines (line 9-10) in your SWAG definitions.

 server {
     listen 443 ssl;
     listen [::]:443 ssl;

     server_name some-app.*;
     include /config/nginx/ssl.conf;
     client_max_body_size 0;

     if ($lan-ip = yes) { set $geo-whitelist yes; }
     if ($geo-whitelist = no) { return 404; }

     location / {

And that's it 🚀! Restart the container to apply your configuration changes and any traffic coming for one of these countries is going to be automatically blocked!

PS: If you are using services like Cloudflare in front of your websites, it might not work as expected as your websites will be accessed by Cloudflare's IP addresses.

Looking for help?
If you are looking for some help or want a quick chat, please head over to the Discord Community!