Thomas Delrue via plug on 2 Dec 2020 05:40:04 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Reverse Proxy based on GeoIP


It's actually more for 'content control' rather than anything else. For
customers in country {foo|bar|qux}, we have to prevent them from
reaching the server (and site) for a.com and have to make sure they
reach b.com instead. (Long story, don't ask)

And while those are our domains and sites, we don't have the ability to
easily change the code for those sites (and actually, the domains are
managed by 2 -different- third party DNS registrars/services, and the
sites are running on external platforms too).
So that's why I was asking if I was even thinking about this the right
way...

Regarding the split horizon DNS, is my understanding correct that we'd
have to be running the authoritative servers for both those domains
ourselves (which we aren't)?

I appreciate everyone's input!


On 12/1/20 06:47, Joe Rosato wrote:
> Never did it but....
> 
> https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-by-geoip/
> <https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-by-geoip/>
> 
> On Mon, Nov 30, 2020, 4:19 PM brent saner via plug
> <plug@lists.phillylinux.org <mailto:plug@lists.phillylinux.org>> wrote:
> 
>     If you're doing it for perceived (client-side) performance/responsivity:
> 
>     https://www.medianova.com/en-blog/2016/10/26/what-is-anycast-dns
>     <https://www.medianova.com/en-blog/2016/10/26/what-is-anycast-dns>
> 
> 
>     If you're doing it for restricting content/access:
> 
>     https://en.m.wikipedia.org/wiki/Split-horizon_DNS
>     <https://en.m.wikipedia.org/wiki/Split-horizon_DNS>
> 
> 
> 
>     sent from my toaster.
> 
>     On Mon, Nov 30, 2020, 16:04 Thomas Delrue via plug
>     <plug@lists.phillylinux.org <mailto:plug@lists.phillylinux.org>> wrote:
> 
>         Hi,
> 
>         I have a peculiar scenario that I'm trying to get to work and I just
>         can't wrap my mind around how.
> 
>         Let's say I have two distinct servers, serving respectively
>         - a.com <http://a.com>
>         - b.com <http://b.com>
>         I own both a.com <http://a.com> and b.com <http://b.com> as
>         domain names and for all intents and
>         purposes, the content on those sites are static and served over
>         HTTPS.
> 
>         Both these websites are publicly available and are /different/
>         sites.
>         They are also hosted by third parties and so not easily changed
>         (for all
>         intents and purposes, assume these cannot be changed).
> 
>         Here's the tricky (or sneaky, if you will) thing I'd like to do:
> 
>         Anyone going to a.com <http://a.com> - from anywhere in the
>         world - should see a.com <http://a.com>
>         EXCEPT when they are coming from Country 'foo', 'bar', or 'qux'(*).
>         Those, and only those, should be redirected to b.com <http://b.com>.
> 
>         So if I come from country blah, and enter a.com <http://a.com>
>         in my address bar, then
>         I do indeed see a.com <http://a.com>.
>         HOWEVER, if I come from any one country in {foo|bar|qux}, and I
>         enter
>         a.com <http://a.com>, I should be redirected to b.com
>         <http://b.com> (and my address bar should show
>         b.com <http://b.com>). In this last case, it's totally OK for
>         this to be a totally
>         clean redirect/hand off from the reverse proxy serving a.com
>         <http://a.com> to the
>         server serving b.com <http://b.com>.
> 
>         My initial thought was to set up a new server to act as a
>         reverse proxy
>         and make the DNS record(s) for a.com <http://a.com> point to
>         that reverse proxy and
>         where I go from there is where I get stuck...
> 
>         I know that with NGINX, you can do reverse proxying. That's
>         standard stuff.
> 
>         I know you can do reverse proxying based on originating IP, but
>         to the
>         best of my understanding, that's limited to hard-coded IPs (i.e.
>         if you
>         come from 1.2.3.4, redirect to uat.env.com <http://uat.env.com>,
>         but if you come from
>         3.4.5.6, then direct to dev.env.com <http://dev.env.com>, etc...).
> 
>         So this is my first blocker, is what I'm asking (i.e. turn those
>         hard
>         coded IP addresses into GeoIP countries) even doable, be it this
>         suggested way or even at all? Has anyone done something like
>         this and
>         care to share their solution?
> 
>         And then on top of that: am I even thinking about this properly
>         or is
>         there another solution that I'm totally missing?
> 
>         Thanks
> 
>         (*) I am aware of some inaccuracies in GeoIP mapping of IP to
>         country, I
>         can live with those inaccuracies as long as 'generally' it works.
> 
>         ___________________________________________________________________________
>         Philadelphia Linux Users Group         --       
>         http://www.phillylinux.org <http://www.phillylinux.org>
>         Announcements -
>         http://lists.phillylinux.org/mailman/listinfo/plug-announce
>         <http://lists.phillylinux.org/mailman/listinfo/plug-announce>
>         General Discussion  -- 
>          http://lists.phillylinux.org/mailman/listinfo/plug
>         <http://lists.phillylinux.org/mailman/listinfo/plug>
> 
>     ___________________________________________________________________________
>     Philadelphia Linux Users Group         --       
>     http://www.phillylinux.org <http://www.phillylinux.org>
>     Announcements -
>     http://lists.phillylinux.org/mailman/listinfo/plug-announce
>     <http://lists.phillylinux.org/mailman/listinfo/plug-announce>
>     General Discussion  -- 
>      http://lists.phillylinux.org/mailman/listinfo/plug
>     <http://lists.phillylinux.org/mailman/listinfo/plug>
> 

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug