GeoBlock
Simple plugin for Traefik to block request based on their country of origin. Uses GeoJs.io.
Configuration
It is possible to install the plugin locally or to install it through Traefik Pilot.
Configuration as local plugin
Depending on your setup, the installation steps might differ from the one described here. This example assumes that your Traefik instance runs in a Docker container and uses the official image.
Download the latest release of the plugin and save it to a location the Traefik container can reach. Below is an example of a possible setup. Notice how the plugin source is mapped into the container (/plugin/geoblock:/plugins-local/src/github.com/PascalMinder/geoblock/):
docker-compose.yml
version: "3.7"
services:
traefik:
image: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /docker/config/traefik/traefik.yml:/etc/traefik/traefik.yml
- /docker/config/traefik/dynamic-configuration.yml:/etc/traefik/dynamic-configuration.yml
- /docker/config/traefik/plugin/geoblock:/plugins-local/src/github.com/PascalMinder/geoblock/
ports:
- "80:80"
hello:
image: containous/whoami
labels:
- traefik.enable=true
- traefik.http.routers.hello.entrypoints=http
- traefik.http.routers.hello.rule=Host(`hello.localhost`)
- traefik.http.services.hello.loadbalancer.server.port=80
- traefik.http.routers.hello.middlewares=my-plugin@fileTo complete the setup, the Traefik configuration must be extended with the plugin. For this you must create the traefik.yml and the dynamic-configuration.yml` files if not present already.
traefik.yml
log:
level: INFO
experimental:
localPlugins:
geoblock:
moduleName: github.com/PascalMinder/geoblockdynamic-configuration.yml
http:
middlewares:
geoblock-ch:
plugin:
geoblock:
allowLocalRequests: true
logLocalRequests: false
logAllowedRequests: false
logApiRequests: true
api: "https://get.geojs.io/v1/ip/country/{ip}"
apiTimeoutMs: 750 # optional
cacheSize: 15
forceMonthlyUpdate: true
allowUnknownCountries: false
unknownCountryApiResponse: "nil"
countries:
- CHTraefik Pilot
To install the plugin with Traefik Pilot, follow the instruction on their website.
Add the following to your traefik-config.yml
pilot:
token: "xxxx-your-token-xxxx"
experimental:
plugins:
GeoBlock:
moduleName: "github.com/PascalMinder/geoblock"
version: "v0.2.3"
# other stuff you might have in your traefik-config
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: "/dynamic-configuration.yml"In your dynamic configuration add the following:
http:
middlewares:
my-GeoBlock:
plugin:
GeoBlock:
allowLocalRequests: true
logLocalRequests: false
logAllowedRequests: false
logApiRequests: false
api: "https://get.geojs.io/v1/ip/country/{ip}"
apiTimeoutMs: 500
cacheSize: 25
forceMonthlyUpdate: true
allowUnknownCountries: false
unknownCountryApiResponse: "nil"
countries:
- CHAnd some example docker file for traefik:
version: "3"
networks:
proxy:
external: true # specifies that this network has been created outside of Compose, raises an error if it doesn’t exist
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
proxy:
aliases:
- traefik
ports:
- 80:80
- 443:443
volumes:
- "/etc/timezone:/etc/timezone:ro"
- "/etc/localtime:/etc/localtime:ro"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/a/docker/config/traefik/data/traefik.yml:/traefik.yml:ro"
- "/a/docker/config/traefik/data/acme.json:/acme.json"
- "/a/docker/config/traefik/data/config.yml:/config.yml:ro"
- "/a/log/traefik:/etc/traefik"
- "/a/docker/config/traefik/data/dynamic-configuration.yml:/dynamic-configuration.yml"
labels:
- "providers.file.filename=/dynamic-configuration.yml"This configuration might not work. It's just to give you an idea how to configure it.
Full plugin sample configuration
allowLocalRequests: If set to true, will not block request from Private IP RangeslogLocalRequests: If set to true, will log every connection from any IP in the private IP rangeapi: API URI used for querying the country associated with the connecting IPcountries: list of allowed countries
my-GeoBlock:
plugin:
GeoBlock:
allowLocalRequests: false
logLocalRequests: false
logAllowedRequests: false
logApiRequests: false
api: "https://get.geojs.io/v1/ip/country/{ip}"
apiTimeoutMs: 750 # optional
cacheSize: 15
forceMonthlyUpdate: false
allowUnknownCountries: false
unknownCountryApiResponse: "nil"
countries:
- AF # Afghanistan
- AL # Albania
- DZ # Algeria
- AS # American Samoa
- AD # Andorra
- AO # Angola
- AI # Anguilla
- AQ # Antarctica
- AG # Antigua and Barbuda
- AR # Argentina
- AM # Armenia
- AW # Aruba
- AU # Australia
- AT # Austria
- AZ # Azerbaijan
- BS # Bahamas (the)
- BH # Bahrain
- BD # Bangladesh
- BB # Barbados
- BY # Belarus
- BE # Belgium
- BZ # Belize
- BJ # Benin
- BM # Bermuda
- BT # Bhutan
- BO # Bolivia (Plurinational State of)
- BQ # Bonaire, Sint Eustatius and Saba
- BA # Bosnia and Herzegovina
- BW # Botswana
- BV # Bouvet Island
- BR # Brazil
- IO # British Indian Ocean Territory (the)
- BN # Brunei Darussalam
- BG # Bulgaria
- BF # Burkina Faso
- BI # Burundi
- CV # Cabo Verde
- KH # Cambodia
- CM # Cameroon
- CA # Canada
- KY # Cayman Islands (the)
- CF # Central African Republic (the)
- TD # Chad
- CL # Chile
- CN # China
- CX # Christmas Island
- CC # Cocos (Keeling) Islands (the)
- CO # Colombia
- KM # Comoros (the)
- CD # Congo (the Democratic Republic of the)
- CG # Congo (the)
- CK # Cook Islands (the)
- CR # Costa Rica
- HR # Croatia
- CU # Cuba
- CW # Curaçao
- CY # Cyprus
- CZ # Czechia
- CI # Côte d'Ivoire
- DK # Denmark
- DJ # Djibouti
- DM # Dominica
- DO # Dominican Republic (the)
- EC # Ecuador
- EG # Egypt
- SV # El Salvador
- GQ # Equatorial Guinea
- ER # Eritrea
- EE # Estonia
- SZ # Eswatini
- ET # Ethiopia
- FK # Falkland Islands (the) [Malvinas]
- FO # Faroe Islands (the)
- FJ # Fiji
- FI # Finland
- FR # France
- GF # French Guiana
- PF # French Polynesia
- TF # French Southern Territories (the)
- GA # Gabon
- GM # Gambia (the)
- GE # Georgia
- DE # Germany
- GH # Ghana
- GI # Gibraltar
- GR # Greece
- GL # Greenland
- GD # Grenada
- GP # Guadeloupe
- GU # Guam
- GT # Guatemala
- GG # Guernsey
- GN # Guinea
- GW # Guinea-Bissau
- GY # Guyana
- HT # Haiti
- HM # Heard Island and McDonald Islands
- VA # Holy See (the)
- HN # Honduras
- HK # Hong Kong
- HU # Hungary
- IS # Iceland
- IN # India
- ID # Indonesia
- IR # Iran (Islamic Republic of)
- IQ # Iraq
- IE # Ireland
- IM # Isle of Man
- IL # Israel
- IT # Italy
- JM # Jamaica
- JP # Japan
- JE # Jersey
- JO # Jordan
- KZ # Kazakhstan
- KE # Kenya
- KI # Kiribati
- KP # Korea (the Democratic People's Republic of)
- KR # Korea (the Republic of)
- KW # Kuwait
- KG # Kyrgyzstan
- LA # Lao People's Democratic Republic (the)
- LV # Latvia
- LB # Lebanon
- LS # Lesotho
- LR # Liberia
- LY # Libya
- LI # Liechtenstein
- LT # Lithuania
- LU # Luxembourg
- MO # Macao
- MG # Madagascar
- MW # Malawi
- MY # Malaysia
- MV # Maldives
- ML # Mali
- MT # Malta
- MH # Marshall Islands (the)
- MQ # Martinique
- MR # Mauritania
- MU # Mauritius
- YT # Mayotte
- MX # Mexico
- FM # Micronesia (Federated States of)
- MD # Moldova (the Republic of)
- MC # Monaco
- MN # Mongolia
- ME # Montenegro
- MS # Montserrat
- MA # Morocco
- MZ # Mozambique
- MM # Myanmar
- NA # Namibia
- NR # Nauru
- NP # Nepal
- NL # Netherlands (the)
- NC # New Caledonia
- NZ # New Zealand
- NI # Nicaragua
- NE # Niger (the)
- NG # Nigeria
- NU # Niue
- NF # Norfolk Island
- MP # Northern Mariana Islands (the)
- NO # Norway
- OM # Oman
- PK # Pakistan
- PW # Palau
- PS # Palestine, State of
- PA # Panama
- PG # Papua New Guinea
- PY # Paraguay
- PE # Peru
- PH # Philippines (the)
- PN # Pitcairn
- PL # Poland
- PT # Portugal
- PR # Puerto Rico
- QA # Qatar
- MK # Republic of North Macedonia
- RO # Romania
- RU # Russian Federation (the)
- RW # Rwanda
- RE # Réunion
- BL # Saint Barthélemy
- SH # Saint Helena, Ascension and Tristan da Cunha
- KN # Saint Kitts and Nevis
- LC # Saint Lucia
- MF # Saint Martin (French part)
- PM # Saint Pierre and Miquelon
- VC # Saint Vincent and the Grenadines
- WS # Samoa
- SM # San Marino
- ST # Sao Tome and Principe
- SA # Saudi Arabia
- SN # Senegal
- RS # Serbia
- SC # Seychelles
- SL # Sierra Leone
- SG # Singapore
- SX # Sint Maarten (Dutch part)
- SK # Slovakia
- SI # Slovenia
- SB # Solomon Islands
- SO # Somalia
- ZA # South Africa
- GS # South Georgia and the South Sandwich Islands
- SS # South Sudan
- ES # Spain
- LK # Sri Lanka
- SD # Sudan (the)
- SR # Suriname
- SJ # Svalbard and Jan Mayen
- SE # Sweden
- CH # Switzerland
- SY # Syrian Arab Republic
- TW # Taiwan (Province of China)
- TJ # Tajikistan
- TZ # Tanzania, United Republic of
- TH # Thailand
- TL # Timor-Leste
- TG # Togo
- TK # Tokelau
- TO # Tonga
- TT # Trinidad and Tobago
- TN # Tunisia
- TR # Turkey
- TM # Turkmenistan
- TC # Turks and Caicos Islands (the)
- TV # Tuvalu
- UG # Uganda
- UA # Ukraine
- AE # United Arab Emirates (the)
- GB # United Kingdom of Great Britain and Northern Ireland (the)
- UM # United States Minor Outlying Islands (the)
- US # United States of America (the)
- UY # Uruguay
- UZ # Uzbekistan
- VU # Vanuatu
- VE # Venezuela (Bolivarian Republic of)
- VN # Viet Nam
- VG # Virgin Islands (British)
- VI # Virgin Islands (U.S.)
- WF # Wallis and Futuna
- EH # Western Sahara
- YE # Yemen
- ZM # Zambia
- ZW # Zimbabwe
- AX # Åland IslandsConfiguration options
Allow local requests: allowLocalRequests
If set to true, will not block request from Private IP Ranges.
Log local requests: logLocalRequests
If set to true, will show a log message when some one accesses the service over a private ip address.
Log allowed requests logAllowedRequests
If set to true, will show a log message with the IP and the country of origin if a request is allowed.
Log API requests logApiRequests
If set to true, will show a log message for every API hit.
API api
Defines the API URL for the IP to Country resolution. The IP to fetch can be added with {ip} to the URL.
API Timeout apiTimeoutMs
Timeout for the call to the api uri.
Cache size cacheSize
Defines the max size of the LRU (least recently used) cache.
Force monthly update forceMonthlyUpdate
Even if an IP stays in the cache for a period of a month (about 30 x 24 hours), it must be fetch again after a month.
Allow unknown countries allowUnknownCountries
Some IP addresses have no country associated with them. If this option is set to true, all IPs with no associated country are also allowed.
Unknown country api responseunknownCountryApiResponse
The API uri can be customized. This options allows to customize the response string of the API when a IP with no associated country is requested.
Countries countries
A list of country codes from which connections to the service should be allowed