Develop Reference

How to block visitors from particular country with nginx and GeoIP Module

I want to block a particular country's visitors to access my website www.mainwebsite.com through Nginx and GeoIP Module.
First I tried on www.test.com. What steps I followed on test website,www.test.com, before trying on www.mainwebsite.com
Installing GeoIP:
sudo apt update && sudo apt-get install geoip-database
Check GeoIP Module is installed or not:
nginx -V 2>&1|grep --color=always with-http_geoip_module
Download the GeoIP Database:
sudo mkdir /etc/nginx/GeoIP/
Placed GeoIP.dat file to /etc/nginx/GeoIP/ location.
Configure Nginx and Virtual Host.
sudo vi /etc/nginx/nginx.conf
http{
##
# Basic Settings
##
geoip_country /etc/nginx/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
IN no;
}
}
Save and exit.
sudo vi /etc/nginx/site-available/test.com
Added the map line in starting outside of server{......}
map $geoip_country_code $allowed_country {
default yes;
IN no;
}
After that, inside server{......} setting, add the IF condition.
if ($allowed_country = no) {
return 403;
}
Save and exit.
Reload and restart nginx
sudo service nginx reload
sudo service nginx restart
So www.test.com is directly hosted on Ec2 instance test-server-01 with public Network/IP, Blocking worked and users were not able to access from blocked country.
www.mainwebsite.com is hosted to classic load balancer and ec2 instances are attached to classic load balancer.
For testing, I created 2 replica server of test-server-01 server and created new load balancer and attached both replica servers behind the load balancer and pointed www.test.com to new load balancer. But Geo Country blocking didn't work so I added 2 below lines above IF condition which (If condition) is mentioned in point 5, then blocking worked.
real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;
Now I followed the same steps 1 to 6 for www.mainwebsite.com and made the changes in nginx.conf & /etc/nginx/site-available/mainwebsite.com but country blocking didn't work.
I have a doubt here that, for www.test.com, the contents of /etc/nginx/site-available/test.com and linked file /etc/nginx/site-enabled/test.com are same.
But for www.mainwebsite.com, the content of files /etc/nginx/site-available/mainwebsite.com and /etc/nginx/site-enabled/mainwebsite.com are not same.
/etc/nginx/site-enabled/mainwebsite.com has some extra contents like:
Outside of server{} block-
# Expires map
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
application/font-woff max;
}
and inside the server{} block.
server_name www.mainwebsite.com;
rewrite ^/blog/blogs$ https://www.mainwebsite.com/blogs permanent;
rewrite ^/companies https://www.mainwebsite.com.com/company permanent;
rewrite ^/events-2/* https://www.mainwebsite.com/events permanent;
Is this actual reason that's why country blocking is not working? Or there can be other reasons? Please help me out.

'init_by_lua_block' directive not getting executed on nginx start

I wanted one of my lua script to get executed whenever nginx server starts or is reloaded. I tried using init_by_lua_block and init_by_lua_file directive but i dont see any log traces for the lua script in init_by_lua_block when i run the nginx docker. My http block looks like below. nginx.config is located in container path/etc/nginx/nginx.conf .
http {
sendfile on;
init_by_lua_block /etc/nginx/lua/init.lua;
include /etc/nginx/conf.d/proxy-config.conf;
}
Can anyone please tell me what I am missing here?

init_by_lua_block
syntax: init_by_lua_block { lua-script }
https://github.com/openresty/lua-nginx-module#init_by_lua_block
init_by_lua_block expects inlined Lua code, not a path to the Lua file.
Use dofile to execute Lua script:
init_by_lua_block {
dofile('/etc/nginx/lua/init.lua')
}
https://www.lua.org/manual/5.1/manual.html#pdf-dofile
or use init_by_lua_file:
init_by_lua_file /etc/nginx/lua/init.lua;
UPD:
You should use the NOTICE logging level (or higher) in init_by_lua_* directives because your error_log configuration is not yet applied in this phase:
Under the hood, the init_by_lua runs in the nginx configuration loading phase, so your error_log configuration in nginx.conf does not take effect until the whole configuration is loaded successfully (due to the bootstrapping requirements: the configuration loading MAY fail). And nginx initially uses a logger with the NOTICE filtering level upon startup which is effect in the whole first configuration loading process (but not subsequent configuration (re)loading triggered by the HUP signal).
https://github.com/openresty/lua-nginx-module/issues/467#issuecomment-82647228
So, use ngx.log(ngx.NOTICE, ...) (or ngx.WARN, ngx.ERR, etc. — see https://github.com/openresty/lua-nginx-module#nginx-log-level-constants) to see the output in the log.
Alternatively you can use print. It's equivalent to ngx.log(ngx.NOTICE, ...) under the hood: https://github.com/openresty/lua-nginx-module#print

Symfony 4 debug production environments

how to debug Symfony 4 project on production environment? I mean in a way that only I from particular IP can do it. In Symfony 2/3 I have app_dev.php controller. How to do this with Symfony 4 and Apache?
If I change in .env or via VirtualHost APP_ENV to dev then all app users will see debug toolbar, exception logs etc.

You can copy/paste index.php for dev.php and change :
//$env = $_SERVER['APP_ENV'] ?? 'dev';
$env = 'dev';
http://yourwebsite.com/dev.php/
You can restrict for you IP or delete after your actions.

Symfony environment configured by system environment variables. So just add in apache app config (.htaccess by default) something like
SetEnvIf Remote_Addr "127.0.0.1" APP_ENV=dev APP_DEBUG=1
(needs https://httpd.apache.org/docs/trunk/mod/mod_setenvif.html)

I don't recommend using the profiler in a production environment although with Apache you could "emulate" Symfony 2 - 3 behaviour if you configure like this:
<VirtualHost *:80>
...
DocumentRoot "/yourRootDirectory"
<Directory "/yourRootDirectory/">
DirectoryIndex index.php
Require all granted
</Directory>
...
SetEnvIf Request_URI ^/app_dev.php APP_ENV=dev
Alias /app_dev.php "/yourRootDirectory/"
<Location "/app_dev.php">
Require local
</Location>
...
</VirtualHost>
Requesting http://localhost/app_dev.php from localhost machine you get your app in Symfony 4, 5 in dev mode with profiler like in Symfony 2, 3.
Special attention to Require local for your alias, also you could to use Require ip 192.168.1.1 127.0.0.1 or the IPs you want (see Apache docs). But be careful to expose the dev environment to an ip or computer that is not under your control.

This is a little bit of a broad question.
The best way is to use a logging tool like monolog, default output directory is project/var/log/env.log.
As why you are seeing all app users will see debug toolbar, exception logs etc. has to do with your environment settings.
Symfony 4 environment settings work as follows, load config/packages/(env)/package.yaml then load default/production configurations config/packages/package.yaml(if exists).
When you set your env dev you are loading config/packages/dev/web_profiler.yaml and in production, there is no definition for that plugin which defaults to not showing up.
Here is more information about environment setup in symfony 4 .https://symfony.com/doc/current/configuration/environments.html

Cannot properly configure ddns -> Apache -> local website

Good morning and thanks to all,
I need help with something which has been bothering me for more than one day of trying: I cannot visit my local website
(the website I am developing on localhost in my laptop) from an external ip.
I get "Error 500 - Connection refused" from any browser.
I have a XUbuntu 16.04 laptop and a wordpress website running fine from localhost, a class LAMP install.
I also have a dlink router with a free dlinkddns domain, which works fine: I tested portforwarding from my router to my NAS (which has a local static ip 192.168.1.8) through port 80 and I can properly access my NAS firmware webpage by using my ddns domain.
Now I gave my laptop a static local ip address (192.168.1.6), and I changed port 80 forwarding to the static ip address of my laptop (192.168.1.6). My purpose is to access my local wordpress website by using my ddns domain.
So far, so good, I have an Apache web server (Apache/2.4.18) running, which seems to be listening to port 80 locally and externally:
"dpg#dpg-laptop:~$ sudo netstat -tnlp | grep :80
[sudo] password di dpg:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5298/apache2"
These are Apache2 config files:
Apache.conf:
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf-enabled
# | `-- *.conf
# `-- sites-enabled
# `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections which can be
# customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
# directories contain particular configuration snippets which manage modules,
# global configuration fragments, or virtual host configurations,
# respectively.
#
# They are activated by symlinking available configuration files from their
# respective *-available/ counterparts. These shouGood morning and thanks to all,
I need help with something which has been bothering me for more than one day of trying: I cannot visit my local website
(the website I am developing on localhost in my laptop) from an external ip.
I get "Error 500 - Connection refused" from any browser.
I have a XUbuntu 16.04 laptop and a wordpress website running fine from localhost, a class LAMP install.
I also have a dlink router with a free dlinkddns domain, which works fine: I tested portforwarding from my router to my NAS (which has a local static ip 192.168.1.8) through port 80 and I can properly access my NAS firmware webpage by using my ddns domain.
Now I gave my laptop a static local ip address (192.168.1.6), and I changed port 80 forwarding to the static ip address of my laptop (192.168.1.6). My purpose is to access my local wordpress website by using my ddns domain.
So far, so good, I have an Apache web server (Apache/2.4.18) running, which seems to be listening to port 80 locally and externally:
"dpg#dpg-laptop:~$ sudo netstat -tnlp | grep :80
[sudo] password di dpg:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5298/apache2"
These are Apache2 config files:
Apache.conf:
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf-enabled
# | `-- *.conf
# `-- sites-enabled
# `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections which can be
# customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
# directories contain particular configuration snippets which manage modules,
# global configuration fragments, or virtual host configurations,
# rld be managed by using our
# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
# their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
# the default configuration, apache2 needs to be started/stopped with
# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
# work with the default configuration.
# Global configuration
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
Mutex file:${APACHE_LOCK_DIR} default
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log
#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include list of ports to listen on
Include ports.conf
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Ports.conf:
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 0.0.0.0:80
<IfModule ssl_module>
Listen 0.0.0.0:443
</IfModule>
<IfModule mod_gnutls.c>
Listen 0.0.0.0:443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
000-default.conf:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
My ufw firewall is off:
"dpg#dpg-laptop:~$ sudo ufw status
Stato: inattivo"
and iptables are:
"dpg#dpg-laptop:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere"
I have never done this before, so I may have done something wrong, but I really have no clue... I have spent almost one day testing everything. Only thing I am convinced is that the problem does not seem to be on the router, since port 80 seems open on my laptop from any port checker test online.
Best regards and thanks for the help,
Giorgio Dalla Pozza

Nginx holding page without rewriting images

I am trying to set up a holding page for a WordPress site on Nginx. The holding page already existed but the site used to be on an Apache server before we moved it over.
I can get it to redirect to the holding page if maintenance mode is enabled, but the holding.png image does not display. Here is my Nginx code:
server {
# Set to on to enable holding page
set $maintenance off;
if ($maintenance = on) {
rewrite ^(.*)$ /holding.html break;
}
}
The holding image is located in the root of the project, just like the holding page HTML file.

First of all, I would make Nginx send a 503 (Service Unavailable) HTTP response code while in maintenance mode. This prevents search engines from indexing your maintenance page while being offline.
Second, I would put all of the static assets for the maintenance page in a separate directory (e.g. maintenance_files) so that they are nicely coupled together and can be easily excluded from the rewrite.
Also, I would want to have a way to exclude some people so that they are able to do their maintenance tasks. This can be done by IP or by checking for a cookie. You could then set/unset the cookie using a piece of javascript that you paste into your browser inspector.
server {
error_page 503 #maintenance;
# Set to 1 to enable holding page
set $maintenance 0;
# Always allow access for clients that have the 'maintainer' cookie set
if ($http_cookie ~* "maintainer") {
set $maintenance 0;
}
location / {
if ($maintenance) {
return 503;
}
}
location #maintenance {
# You might want to use a different document root for the maintenance
# files so you can freely move and shuffle in the default document root
# during maintenance.
#root /var/www/maintenance/;
if ($uri !~ ^/maintenance_files/) {
rewrite ^(.*)$ /holding.html break;
}
}
}
In order to get maintenance access, paste this in your browser inspector:
document.cookie="maintainer=1";
To remove that cookie:
document.cookie = "maintainer=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
Alternatively, instead of having a variable $maintenance that you set to 1, you could check for a file being present on disk. This way you wouldn't have to reload your Nginx configuration in order to put your site in maintenance mode. However, you would add an addition disk lookup on each request which might be a reason to choose for your option. In that case, run the following command after changing the $maintenance value:
sudo service nginx force-reload