the country blocking is working, but it’s also locking me out of my local 10.x.x.0/24 subnet. i added the geo/monkey and if/monkey lines but it’s still not working.
any ideas?
here is my sites-enabled/default
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default no;
US yes;
}
geo $remote_addr $monkey {
default no;
10.x.x.0/24 yes;
127.0.0.1 yes;
}
server {
server_name x.duckdns.org;
listen 80;
listen [::]:80 ipv6only=on;
return 301 https://$server_name$request_uri;
}
server {
listen [::]:443 default_server ipv6only=off;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
server_name x.duckdns.org;
ssl_certificate /etc/letsencrypt/live/x.duckdns.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/x.duckdns.org/privkey.pem; # managed by Certbot
proxy_buffering off;
if ($monkey = yes) {
set $allowed_country yes;
}
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
if ($allowed_country = no) {
return 444;
}
location / {
proxy_pass http://127.0.0.1:8123;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_redirect http:// https://;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}