Geo Use notes

the GEO directive is provided using the Ngx_http_geo_module module. By default,nginx has to load this module unless it is artificially--without-http_geo_module.

Role:

A module can be used to create a variable whose value depends on the client IP address.

How to use:

syntax: Geo [$address] $variable {...}
Default value:-

      Configuration segment: http
      Defines the IP address of the client to be obtained from the specified variable.

1. Default: Nginx obtains the client IP address from the $REMOTE_ADDR variable

 geo  $caddr  {     default 0;      192.168.1.239 1;     192.168.1.200 2;           include        conf/cadd.conf;      delete         127.0.0.0/16;      proxy          192.168.100.0/24;      proxy          2001:0db8::/32; }    parameter Interpretation:      nginx describes addresses through CIDR or address segments, supporting the following parameters:      Delete: Deletes the specified network      default: If the client address does not match any of the defined addresses, Nginx will use this value.   If using cidr,                can be used " 0.0.0.0/0 "instead of default.      include:&nbSP; contains a file that defines an address and a value, which can contain more than one.      proxy: Defines a trusted address.   If the request comes from a trusted address, Nginx will use its "x-forwarded-for" header to get              Address.   The trusted address is sequential detection, relative to the normal address.      proxy_recursive: Turns on recursive lookup addresses.   If recursive lookup is turned off, the client address and a trusted address           , Nginx will use the last address in "x-forwarded-for" instead of the original customer                           End Address. If recursive lookup is turned on, the client address matches a trusted address,nginx                          will use the last address in "x-forwarded-for" that does not match all trusted addresses to substitute                          Replace the original client address.    &nbsP; ranges: Use the address segment to define the address, this parameter must be in the first place. To speed up the loading of the address library, the address should be defined in ascending order.            here, the default is to match the contents of $remote_addr  with geo{}    ,  If the match succeeds, set $caddr  to this match value (eg:  when $remote_addr  is   ' 192.168.1.239 ', this time   $caddr     ' 1 '), it can be used in other scopes within the server .            instance one  :  Controls access to the directory based on the IP  geo obtained.           http{                   geo  $caddr  {              default 0;              192.168.1.239 1;            }         server {             ......                         location /addr {                root /webroot/default/;      #设置默认的目录                if   (  $caddr  = 1 ) {                   root /webroot/1/;        #根据 $ addr  to specify a different directory.                }             }                   }            #注:Base it part slightly.           echo  "Default page"  > / webroot/default/addr/index.html     echo  "11111 page"   >  /webroot/1/addr/index.html          now reload a little bit nginx           Test:         On 192.168.1.239, execute  curl            get   "11111  page "         other host  , execute  curl http:// 192.168.11.239:91/geo           get   "Default page"

2. Use the specified variable.

HTTP {Geo $arg _boy $blkIP {default 0;            127.0.0.1 Local;            85.77.32.0 Net1;         202.90.0.0 Net2; ｝ }

3. Matching principle

The GEO directive assigns values to variables based primarily on IP. Therefore, the GEO block can only define IP or network segment, otherwise it will error "Nginx: [Emerg] Invalid network".

Practical applications that can be combined with limit_req to achieve simple DDoS attacks

    http{        geo  $remote _addr  $black _iplist {           default 0;            include black_iplist.conf;         }                 limit_req_zone  $DDos _ip zone=ddos_ip:10m rate=10r/m;         limit_req zone=DDos_IP burst=1 nodelay;             server {                    location / {                  if  (  $black _iplist =  1 )         ####    determine if there is a blacklist;               {                 set  $DDos _ip  $black _iplist;   ####    Speed limit for IP; #               return  503;               ####     Direct return 503;               for IP          }             }        }    }

Geo Use notes