add nginx geoip2 setup

GeoIP2 is very useful for blocking spam attacks on the forum particularly via the ASN database.
GrapheneOS · Dec 21, 2023 · e3ef32f · e3ef32f
1 parent 90aa292
commit e3ef32f
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
+/GeoIP.conf
 /backup-key.txt
 /backup-public-key.txt
 /backup/

diff --git a/deploy b/deploy
@@ -20,5 +20,6 @@ rsync -ptcv --chmod=D755,F644 --fsync --preallocate my.cnf.d/server.cnf $remote:
 rsync -rptcv --chmod=D755,F644 --fsync --preallocate php/{php.ini,php-fpm.d} $remote:/etc/php/
 rsync -rptcv --chmod=D755,F644 --fsync --preallocate php-legacy/{php.ini,php-fpm.d} $remote:/etc/php-legacy/
 rsync -ptcv --chmod=755 --fsync --preallocate {flarum-asset-compress,flarum-deploy,remote-backup,stopforumspam-update} $remote:/usr/local/bin/
+rsync -pctv --chown root:geoipupdate --chmod=F640 --fsync --preallocate GeoIP.conf $remote:/etc/GeoIP.conf
 rsync -prctv --chmod=D755,F644 --fsync --preallocate systemd/system/ $remote:/etc/systemd/system
 ssh $remote nginx -s reload
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -2,6 +2,7 @@
 
 load_module modules/ngx_http_brotli_filter_module.so;
 load_module modules/ngx_http_brotli_static_module.so;
+load_module modules/ngx_http_geoip2_module.so;
 
 error_log syslog:server=unix:/dev/log,nohostname;
 # leave stderr open but minimize duplicate logging to it
@@ -147,6 +148,11 @@ http {
         include blocked.conf;
     }
 
+    geoip2 /var/lib/GeoIP/GeoLite2-ASN.mmdb {
+        auto_reload 30m;
+        $geoip2_data_autonomous_system_number autonomous_system_number;
+    }
+
     upstream backend {
         zone backend 32k;
         server unix:/run/php-fpm/php-fpm.sock max_conns=1024 max_fails=0;

diff --git a/systemd/system/geoipupdate.service.d/local.conf b/systemd/system/geoipupdate.service.d/local.conf
@@ -0,0 +1,7 @@
+[Service]
+CPUSchedulingPolicy=batch
+IOSchedulingPriority=7
+Nice=19
+PrivateIPC=true
+ProcSubset=pid
+User=geoipupdate
diff --git a/systemd/system/geoipupdate.timer.d/daily.conf b/systemd/system/geoipupdate.timer.d/daily.conf
@@ -0,0 +1,6 @@
+[Unit]
+Description=Daily update of GeoIP2 and GeoIP Legacy databases
+
+[Timer]
+OnCalendar=
+OnCalendar=daily