Skip to content

Country-Level Blocking With MaxMind

To block users in selected countries from accessing your websites, we recommend using MaxMind. MaxMind services use IP addresses to identify a user’s country, and you can write rules to block specific countries.

Start by downloading the GeoLite2 Country MaxMind Database in .mmdb format from MaxMind.

Place the file in a location inside your container, for example /container/application/GeoLite2-Country.mmdb. Now you’re ready to enable and set up the configuration files.

Configuring MaxMind and Blocking Countries

The exact process differs according to the image that your container is running. Below, this document takes you through the steps for Apache and Nginx.

  • Before you begin: Find the ISO codes of relevant countries in this GeoNames table.
  • Once you’re done: Test that your country blocking works as intended by visiting your site from a service that lets you imitate traffics from different locations, like ProxySite or Geo Targetly.


Create a symlink of the MaxMind conf file and load files to the mods-enabled folder:

cd /container/config/apache2/mods-enabled
ln -s ../mods-available/maxminddb.conf .
ln -s ../mods-available/maxminddb.load .

To block specific countries, add rules to the container’s .htaccess file. Model them on this example code:

<IfModule mod_maxminddb.c>
MaxMindDBEnable On
MaxMindDBFile COUNTRY_DB /container/application/GeoLite2-Country.mmdb
MaxMindDBEnv COUNTRY_CODE COUNTRY_DB/country/iso_code
SetEnvIf COUNTRY_CODE ^(RU|DE|US) BlockCountry
Deny from env=BlockCountry


Some configuration changes are required in Nginx.

  1. In /container/config/nginx/nginx.conf, load the GeoIP2 module before the events block:
    pid /run/;
    load_module modules/;
    events {
  2. Pass the MaxMind database to the GeoIP modul, then map the variables to allow or deny a country, using this code as an example:
    http {
    # Basic Settings
    geoip2 /container/application/GeoLite2-Country.mmdb {
    $geoip2_data_country_iso_code country iso_code;
    map $geoip2_data_country_iso_code $allowed_country {
    default yes;
    DE no; # Germany
  3. Add an if statement to /container/config/nginx/sites-available/default to block requests from denied countries. (444 is a special code in Nginx.)
    location / {
    try_files $uri $uri/ =404;
    if ($allowed_country = no) {
    return 444;
    location ~ \.php$ {
    # Fix for HTTProxy
    fastcgi_param HTTP_PROXY "";
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    if ($allowed_country = no) {
    return 444;
  4. Reboot the container for your changes to take effect.

Because it takes configuration changes to update your list of allowed or denied countries in Nginx, you’ll need to reboot the container each time.