HAProxy Country filtering ACL

by iwik
December 2, 2020September 27, 2024
12 Comments

It is few years since I have written my IP Country generator. As I recently added new file geoip.txt (warning, big file!) for use with haproxy, I will show you how you can easily create ACL in HAproxy to filter specific country.

There are many articles about HAProxy GeoIP, but they are all using Maxmind’s GeoIP database and iprange tool, which you have to compile and use scripts to generate files…Now you can have daily updated geoip.txt for haproxy easily – just download file geoip.txt file, and put it (for exaple) as /etc/haproxy/geoip.txt. IPv6 ranges are included. You can create cron job to download this file to have update(s).

How to use it? Let’s take webmin backend definition in my haproxy.cfg as example. It will allow access only from LAN and Slovakia and Czech Republic:

backend webmin
        mode http
        option forwardfor
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
# ...
#       GeoIP ACL - allow only from SK and CZ
        acl acl_geoloc_sk_cz src,map_ip(/etc/haproxy/geoip.txt) -m reg -i (SK|CZ)
        acl acl_internal src  10.0.0.0/8 192.168.0.0/16
        http-request deny if !acl_geoloc_sk_cz !acl_internal

Yes, it is so easy.

UPDATE: I have switched source of IP data to Maxmind GeoIPlite2 https://blog.erben.sk/2024/09/14/new-country-ip-ranges-generator/

Tags:geoip haproxy ipcountry

12 thoughts on “HAProxy Country filtering ACL”

vanessa June 20, 2022 at 01:10

Do you have some shaping to download?
I download once a day in 8 servers but only one have some issues. Sometimes the curl doesnt complete.
GeoIP User January 3, 2023 at 16:53

Unfortunately, the geoip.txt file is incomplete and doesn’t contain the full list of countries from the other lists that you generate :'(
User January 22, 2023 at 15:57

@iwik thanks for the script, but sometimes ( and that’s quite frequent nowadays, at least once a week ), and for example as today, 22.01.2023, the generated file is incomplete and is missing a lot of countries. Could you check and see what is the issue with it?
Test January 22, 2023 at 22:04

Any idea why the file is on random days incomplete? It’s missing a lot of ips, and for today as well.
SiD February 7, 2023 at 11:51

please update geoip.txt
HAproxy March 8, 2023 at 20:01

Same as above. File often only 2MB and incomplete instead of approx 5 MB…
iwik March 15, 2023 at 18:56

Hi all, I have setup zabbix monitoring to check file size. It can be generated incorrectly or maybe reverse proxy issue. We will see.
Mike June 3, 2023 at 08:04

Hi, I’m noticing that quite a few of the ip addresses have the incorrect country code. Has anyone encountered this recently?
SDas September 8, 2023 at 11:56

I see UK (GB) and USA (US) CIDRs are permanently missing from the list
Thomas November 13, 2023 at 02:02

Feel free to use this source instead, with IPv4 and IPv6 addresses.

https://wetmore.ca/ip/
iwik December 22, 2023 at 10:34

Issues should be resolved longer time as I have put site behind cloudflare proxy.
zefk July 2, 2024 at 20:19

Hi all, seems that the file size gets halved in july 2024, no more ipv6 ?

HAProxy Country filtering ACL

UPDATE: I have switched source of IP data to Maxmind GeoIPlite2 https://blog.erben.sk/2024/09/14/new-country-ip-ranges-generator/

12 thoughts on “HAProxy Country filtering ACL”

Leave a Reply