Home Linux Server Installing and Using Maxmind GeoIP

Installing and Using Maxmind GeoIP
Written by Kwok Yao Chim   
Monday, 03 March 2008 03:01
Use Maxmind GeoIP for restricting access to websites or parts of websites as well as using it with Awstats to geo-locate your visitors.


Another application that will prove very useful and its simple to install and use.
Maxmind GeoIP is one of many organisations to provide IP-to-geo-location services you can visit their website for more details at http://www.maxmind.com/app/ip-location

Once again the CentOS community have kindly provided a YUM installable RPM package.
Run this simple command to see if GeoIP packages are available:

$ yum list GeoIP*

Available Packages
GeoIP.i386                               1.4.4-1.el5.centos     extras
GeoIP-data.i386                          20080301-1.el5.centos  extras
GeoIP-devel.i386                         1.4.4-1.el5.centos     extras
 
As you can see the packages are from the "extras" repository, so make sure you have enabled it in the "/etc/yum.repos.d/CentOS-Base.repo" or add the yum option "--enablerepo=extras" in the command. Once you confirm these packages are available you run thsi command:

$ yum install GeoIP*

Note: it is vital to install GeoIP-devel in order to be able to install mod_GeoIP which will allow Apache webserver to use GeoIP application.

Download the Apache API "mod_geoip" from Maxmind, extract and prepare for installation:
$ cd /tmp
$ wget http://www.maxmind.com/download/geoip/api/mod_geoip2/mod_geoip2_1.2.3.tar.gz
$ tar -xvzf mod_geoip2_1.2.3.tar.gz
$ cd mod_geoip2_1.2.3
$ apxs -i -a -L/usr/lib -I/usr/include -lGeoIP -c mod_geoip.c
 

Heres what the options mean:
-I/usr/local/include - is where the GeoIP.h header file is installed (for yum installation of GeoIP on CentOS this is usually /usr/include)
-L/usr/local/lib - is where the libGeoIP library is located (for yum installation of GeoIP on CentOS this is usually /usr/lib)

You can check if the mod_geoip.so file is installed by looking into the /usr/lib/httpd/modules/ directory.

Now we need to configure httpd.conf file, you will notice that the in the httpd.conf file a line is inserted in the LoadModule section:
LoadModule geoip_module       /usr/lib/httpd/modules/mod_geoip.so
 

Now turn on the GeoIP module by adding these lines
<IfModule mod_geoip.c>
  GeoIPEnable On
  GeoIPDBFile /var/lib/GeoIP/GeoIP.dat
</IfModule>
 

Now we can use the GeoIP.

I first used my GeoIP app to restrict access to directories within my website against certain countries, for example admin directories.
As I am using Joomla which attracts many script hackers, I will want to deny access to the admin section.
To do this, some extra configuration needs to be added to the virtual host section, but it has to be within a "directory" directive...

<Directory "/var/www/example/html/administrator">
  Order deny,allow
  deny from all
  SetEnvIf GEOIP_COUNTRY_CODE US TargetLocation
  SetEnvIf GEOIP_COUNTRY_CODE GB TargetLocation
  Allow from env=TargetLocation
</Directory>
 
The directive above will first deny requests to the directory "/var/www/example/html/administrator" before it allows any access.
But at the end of the day it will deny from all hosts/clients.
However if we SetEnvIf (Set Environment Variables) GEOIP_COUNTRY_CODE to US/GB into AllowLocation.
Then Allow from env listed in AllowLocation
Now it will only allow access to US (United States) and GB (Great Britain) to the administrator directory. If you want to find certain country codes go and download the GeoIP data in CSV format and you will find the countries listed along with the code.

The exact opposite can be done, so you can allow all countries but deny certain locations, just change deny from all to allow from all and also Allow from env to Deny from env.

Maxmind also provide a free version of GeoIP City called GeoLiteCity which has both country and city GeoIP data, so you can get a more accurate locality of the visitor. The GeoLiteCity data binary files can be download at http://www.maxmind.com/app/geolitecity this needs to be extracted and placed in the "/var/lib/GeoIP/" directory.

Changes to the Apache Conf will be needed so that the GeoLiteCity.dat can be used.
<IfModule mod_geoip.c>
  GeoIPEnable On
  GeoIPDBFile /var/lib/GeoIP/GeoLiteCity.dat
</IfModule>
 

Changes will also need to made to the directory directive in the virtual host, like so...
<Directory "/var/www/example/html/administrator">
  Order deny,allow
  deny from all
  SetEnvIf GEOIP_CITY Chicago TargetLocation
  SetEnvIf GEOIP_CITY Liverpool TargetLocation
  Allow from env=TargetLocation
</Directory>
 
Notice the change from GEOIP_COUNTRY_CODE to GEOIP_CITY.

There are also other GeoIP variables that are available:

GEOIP_COUNTRY_CODE
GEOIP_COUNTRY_CODE3
GEOIP_COUNTRY_NAME
GEOIP_CITY_NAME
GEOIP_CITY_POSTAL_CODE
GEOIP_CITY_LATITUDE
GEOIP_CITY_LONG_LATITUDE
GEOIP_CITY_DMA_CODE
GEOIP_CITY_AREA_CODE

Country Code, City Name, Latitude and Long Latitude can be used with the free editions of GeoIP Country and City.

GeoIP is not limited to the method I have listed above, it can be used in conjunction with AWSTATS and there is a PHP API and more ust visit http://www.maxmind.com/app/api .

UPDATE - 06 Sep 2009:
I have found out the GeoIP requires more configuration if being used behind a proxy server such as Pound.
Since proxying does not pass on the client IP address, but it does include the client IP within the HTTP headers.
With mod_geoip version 1.2.0 and later, there is a directive that can be used to allow mod_geoip to look at the HTTP headers and handle X-Forwarded-For header. This configuration direct is:
GeoIPScanProxyHeaders ON