前几天，我有一个徒弟问我，如何禁止海外ip访问他的网站系统？操作系统采用的是centos7.9，发布服务采用的是openresty。通过日志他发现，有很多类似以下数据

{"host":"172.30.7.95","clientip":"122.189.224.120","size":1818,"responsetime":2025-05-27T14:28:53,"http_host":"www.pingan.com","url":"/401.html","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36","country_code":"CN","country_name":"China","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"199.204.97.58","size":154,"responsetime":2025-05-27T14:29:01,"http_host":"_","url":"-","agent":"-","country_code":"US","country_name":"United States","city_name":"-","status":"400"}
{"host":"172.30.7.95","clientip":"122.189.224.28","size":1818,"responsetime":2025-05-27T14:29:16,"http_host":"lsw-fast.lenovo.com.cn","url":"/401.html","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36","country_code":"CN","country_name":"China","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"204.76.203.219","size":1818,"responsetime":2025-05-27T14:29:22,"http_host":"116.62.152.21","url":"/401.html","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46","country_code":"NL","country_name":"The Netherlands","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"43.133.253.253","size":1818,"responsetime":2025-05-27T14:28:48,"http_host":"www.anxundata.com","url":"/401.html","agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1","country_code":"KR","country_name":"South Korea","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"43.133.253.253","size":1818,"responsetime":2025-05-27T14:28:48,"http_host":"www.anxundata.com","url":"/401.html","agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1","country_code":"KR","country_name":"South Korea","city_name":"-","status":"401"}
{"host":"172.30.7.95","clientip":"42.83.147.54","size":587,"responsetime":2025-05-27T14:33:12,"http_host":"anxundata.com","url":"/index.html","agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/74.0.3729.169 Safari/537.36","country_code":"CN","country_name":"China","city_name":"-","status":"200"}
{"host":"172.30.7.95","clientip":"45.82.255.188","size":1818,"responsetime":2025-05-27T14:36:35,"http_host":"anxundata.com","url":"/401.html","agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36","country_code":"CY","country_name":"Cyprus","city_name":"-","status":"401"}

        我看过数据之后，直接给出答案使用geoip2模块与GeoLite2的ip库匹配禁止访问就行。下面就是geoip2模块与GeoLite2的ip库安装步骤(以下步骤是基于openresty已经安装成功的操作手法)。

一、增加依赖

yum install -y geoip-devel libmaxminddb-devel

二、geoip2模块安装

wget https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/3.4.tar.gz #下载geoip2模块
tar -zxf ngx_http_geoip2_module-3.4.tar.gz #解压文件包
mv ngx_http_geoip2_module-3.4/ /usr/local/src/ngx_http_geoip2_module #将文件拷贝到指定目录

三、下载及安装GeoLite2的ip库

tar -zxf GeoLite2-Country_20250523.tar.gz #将文件解压
cd GeoLite2-Country_20250523/ #进入文件
mv GeoLite2-Country.mmdb /usr/share/GeoIP/ #将IP库复制到GeoIP文件夹中

四、重新编译openresty

./configure --prefix=/usr/local/openresty --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-pcre-jit --with-stream --with-http_geoip_module --add-module=/usr/local/src/ngx_http_geoip2_module
gmake && gmake install

五、修改nginx主配置

vi /usr/local/openresty/nginx/conf/nginx.conf
user www;
worker_processes 2;
worker_cpu_affinity auto;
error_log /data/nginx/error.log;
worker_rlimit_nofile 65535;
pid  /data/nginx/nginx.pid;events {worker_connections  10240;use epoll;multi_accept on;
}http {include       mime.types;geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {auto_reload 60m; #每隔60分钟自动重载数据库$geoip2_data_country_code country iso_code; #IP所在-国家的编码$geoip2_data_country_name country names en; #IP所在-国家名$geoip2_data_city_name city names; #IP所在-城市名}default_type  application/octet-stream;map $time_iso8601 $logdate {'~^(?<ymd>\\d{4}-\\d{2}-\\d{2})' $ymd;default                       'date-not-found';}map $time_iso8601 $request_times {'~^(?<ymdhms>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2})' $ymdhms;default                       'date-not-found';}map $geoip2_data_country_code $allowed_country {default no; #默认禁止所有访问CN yes; #只针对中国开放访问权限}log_format access-upstream '{"host":"$server_addr",''"clientip":"$remote_addr",''"size":$body_bytes_sent,''"responsetime":$request_times,''"http_host":"$host",''"url":"$uri",''"agent":"$http_user_agent",''"country_code":"$geoip2_data_country_code",''"country_name":"$geoip2_data_country_name",''"city_name":"$geoip2_data_city_name",''"status":"$status"}';sendfile on;tcp_nopush on;tcp_nodelay on;server_names_hash_bucket_size 128;server_names_hash_max_size 512;keepalive_timeout  1000s;client_header_timeout 15s;client_body_timeout 15s;send_timeout 1000s;proxy_cache_path /data/nginx levels=1:2 keys_zone=nginx-cache:20m max_size=50g inactive=168h;client_body_buffer_size 512k;client_header_buffer_size 256k;client_max_body_size 1024m;large_client_header_buffers 2 8k;proxy_connect_timeout 1000s;proxy_send_timeout 1000s;proxy_read_timeout 1000s;proxy_buffer_size 128k;proxy_buffers 8 256k;proxy_busy_buffers_size 256k;proxy_temp_file_write_size 256k;proxy_next_upstream http_502 http_504 http_404 error timeout invalid_header;fastcgi_intercept_errors on;fastcgi_ignore_client_abort on;fastcgi_connect_timeout 1000s;fastcgi_send_timeout 1000s;fastcgi_read_timeout 1000s;fastcgi_buffer_size 128k;fastcgi_buffers 8 256k;fastcgi_busy_buffers_size 256k;fastcgi_temp_file_write_size 256k;gzip on;gzip_min_length 1k;gzip_buffers 4 32k;gzip_http_version 1.1;gzip_comp_level 6;gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;gzip_vary on;gzip_disable "MSIE [1-6].";include vhost/*.conf;
}

六、修改具体域名配置

location / {if ($allowed_country = no) {return 401;}index /data/wwwroot/index.html;
}

下一期将带来openresty+lua+redis把非正常访问的域名加入黑名单