Skip to content

HAProxy Country filtering ACL

It is few years since I have written my IP Country generator. As I recently added new file geoip.txt (warning, big file!) for use with haproxy, I will show you how you can easily create ACL in HAproxy to filter specific country.

There are many articles about HAProxy GeoIP, but they are all using Maxmind’s GeoIP database and iprange tool, which you have to compile and use scripts to generate files…Now you can have daily updated geoip.txt for haproxy easily – just download file geoip.txt file, and put it (for exaple) as /etc/haproxy/geoip.txt. IPv6 ranges are included. You can create cron job to download this file to have update(s).

How to use it? Let’s take webmin backend definition in my haproxy.cfg as example. It will allow access only from LAN and Slovakia and Czech Republic:

backend webmin
        mode http
        option forwardfor
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
# ...
#       GeoIP ACL - allow only from SK and CZ
        acl acl_geoloc_sk_cz src,map_ip(/etc/haproxy/geoip.txt) -m reg -i (SK|CZ)
        acl acl_internal src  10.0.0.0/8 192.168.0.0/16
        http-request deny if !acl_geoloc_sk_cz !acl_internal

Yes, it is so easy.

UPDATE: I have switched source of IP data to Maxmind GeoIPlite2 https://blog.erben.sk/2024/09/14/new-country-ip-ranges-generator/

12 thoughts on “HAProxy Country filtering ACL”

  1. Do you have some shaping to download?
    I download once a day in 8 servers but only one have some issues. Sometimes the curl doesnt complete.

  2. Unfortunately, the geoip.txt file is incomplete and doesn’t contain the full list of countries from the other lists that you generate :'(

  3. @iwik thanks for the script, but sometimes ( and that’s quite frequent nowadays, at least once a week ), and for example as today, 22.01.2023, the generated file is incomplete and is missing a lot of countries. Could you check and see what is the issue with it?

  4. Any idea why the file is on random days incomplete? It’s missing a lot of ips, and for today as well.

  5. Hi all, I have setup zabbix monitoring to check file size. It can be generated incorrectly or maybe reverse proxy issue. We will see.

  6. Hi, I’m noticing that quite a few of the ip addresses have the incorrect country code. Has anyone encountered this recently?

Leave a Reply

Your email address will not be published. Required fields are marked *