Sign in Subscribe

Geo-blocking with SWAG

SWAG can support MaxMind databases which are used to provide IP Geolocation and Online Fraud Prevention. It was initially tougher to setup but since end of 2021, it's now integrated through Linuxserver mods system. Let's dig into it!

TheLazyFox

2 min read
Security Self-hosted Docker
Geo-blocking with SWAG

We talked about SWAG, SWAG Dashboard and more recently how to integrate CrowdSec into SWAG, let's talk about how to do some Geo-blocking with SWAG.

Setup SWAG to safely expose your self-hosted applications to the internet
SWAG is a rebirth of letsencrypt docker image, a full fledged web server and reverse proxy that includes Nginx, Php7, Certbot (Let’s Encrypt client) and Fail2ban.
TheLazyFox's BlogTheLazyFox

SWAG can support MaxMind databases which are used to provide IP Geolocation and Online Fraud Prevention. It was initially tougher to setup but since end of 2021, it's now integrated through Linuxserver mods system, so let me guide you into it!

Setup the mod

  1. First of all, you need to create an account on MaxMind to get a free license key, mandatory to get access to their databases. Sign up to their GeoLite2 service, it's pretty straightforward
  2. When you have the key, modify your SWAG docker-compose.yml file to add the MaxMind mod through an environment variable like this: DOCKER_MODS=linuxserver/mods:swag-maxmind
    If you already have mods, ensure they are separated by |, such as DOCKER_MODS=linuxserver/mods:swag-dashboard|linuxserver/mods:swag-crowdsec|linuxserver/mods:swag-maxmind
  3. Add another environment variable MAXMINDDB_LICENSE_KEY=<license-key> and include your license key into it
  4. Restart your container with docker compose up -d to apply the changes
  5. Configure nginx to load the maxmind configuration file by adding the line below in the http section of /config/nginx/nginx.conf.
include /config/nginx/maxmind.conf;
Line to add into /config/nginx/nginx.conf http section

The setup is now ready!

Manage whitelist and blocklist

You can manage your whitelist and blocklist per country by editing /config/nginx/maxmind.conf with your favorite text editor, you have to enter the ISO code of the country followed by yes or no .

It includes an example for blocking high risk countries from GilbN's list based on the Spamhaus statistics and Akamai’s state of the internet report.

map $geoip2_data_country_iso_code $geo-whitelist {
    default no;
    UK yes;
}

map $geoip2_data_country_iso_code $geo-blacklist {
    default yes; #If your country is listed below, remove it from the list
    CN no; #China
    RU no; #Russia
    HK no; #Hong Kong
    IN no; #India
    IR no; #Iran
    VN no; #Vietnam
    TR no; #Turkey
    EG no; #Egypt
    MX no; #Mexico
    JP no; #Japan
    KR no; #South Korea
    KP no; #North Korea
    PE no; #Peru
    BR no; #Brazil
    UA no; #Ukraine
    ID no; #Indonesia
    TH no; #Thailand
}
/config/nginx/maxmind.conf

Apply to your definitions

To use your whitelist and blocklist, you need to include these few lines (line 9-10) in your SWAG definitions.

 server {
     listen 443 ssl;
     listen [::]:443 ssl;

     server_name some-app.*;
     include /config/nginx/ssl.conf;
     client_max_body_size 0;

     if ($lan-ip = yes) { set $geo-whitelist yes; }
     if ($geo-whitelist = no) { return 404; }

     location / {

And that's it 🚀! Restart the container to apply your configuration changes and any traffic coming for one of these countries is going to be automatically blocked!

PS: If you are using services like Cloudflare in front of your websites, it might not work as expected as your websites will be accessed by Cloudflare's IP addresses.

Tags: Security Self-hosted Docker

Looking for help?
If you are looking for some help or want a quick chat, please head over to the Discord Community!
TheLazyFox's Discord