Re: [PLUG] Reverse Proxy based on GeoIP

[Rich Kulawiec via plug <plug@lists.phillylinux.org>]

On Mon, Nov 30, 2020 at 04:04:18PM -0500, Thomas Delrue via plug wrote:
> And then on top of that: am I even thinking about this properly or is
> there another solution that I'm totally missing?

Perhaps.

Yes, you can do the appropriate DNS trickery to furnish different
answers to different requesting IP addresses based on locale,
however that presumes that DNS resolution on the client side is
being handled in a way that plays nice with that...and it may or
may not be.

Another approach to this problem would be to put a packet forwarding
firewall in front of both web servers and forward traffic based on
the originating IP address, using per-country IP address ranges as
generated thus:

	Generating country IP ranges lists
	http://blog.erben.sk/2014/01/28/generating-country-ip-ranges-lists/

You could use this to partition the universe of all address ranges
into disjoint sets (two in your present use case, more if you need to)
and then forward traffic from those as appropriate.  You could also
configure the actual web servers to refuse all traffic unless it
comes via the firewall, thus making it more difficult to bypass
this restriction.

One nice thing about this approach is that it's easy to maintain --
update the per-country IP lists at intervals, perhaps once a month,
reload the firewall rules, and move on.  It's also extensible to
let you handle address ranges that you don't want to provide *any*
service to, e.g., the DROP list.  A downside to this approach is that
the firewall becomes a single point-of-failure, but that can be mitigated
by making it redundant, e.g., pf with CARP.


---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug