Block clients based on their country, ASN or network.
Geoblock is a lightweight authorization service that restricts client access based on:
- Client's country
- Client's IP address
- Client's ASN (Autonomous System Number)
- Requested domain
- Requested method
It works as a forward-authentication service that can be used with reverse proxies such as Traefik, NGINX, and Caddy.
Geoblock uses a single configuration file (config.yaml by default) to set
access control rules. Rules are evaluated sequentially, applying the first
match per request. If no rules match, the default policy applies.
A rule matches if all specified conditions are met. Rules can include one or more of the following criteria:
countries: List of country codes (ISO 3166-1 alpha-2)domains: List of domain namesmethods: List of HTTP methodsnetworks: List of IP ranges in CIDR notationautonomous_systems: List of ASNs
Example configuration file:
---
access_control:
# Default action when no rules match ("allow" or "deny").
default_policy: deny
# List of access rules, evaluated in order. The first matching rule’s
# policy is applied. If no rule matches, the default policy is used.
#
# IMPORTANT: Replace these example rules with your own rules.
rules:
# Allow access from internal/private networks.
- networks:
- 10.0.0.0/8
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
policy: allow
# Deny access for clients from ASNs 1234 and 5678.
- autonomous_systems:
- 1234
- 5678
policy: deny
# Allow access to example.com and example.org from clients in
# France (FR) and the United States (US) using the GET or POST HTTP
# methods.
- domains:
- example.com
- example.org
countries:
- FR
- US
methods:
- GET
- POST
policy: allowThe following HTTP endpoints are exposed by Geoblock.
Check if a client is authorized to access a domain.
| Header | Required | Description |
|---|---|---|
X-Forwarded-For |
Yes | Client's IP address |
X-Forwarded-Host |
Yes | Requested domain |
X-Forwarded-Method |
Yes | Requested HTTP method |
| Status | Description |
|---|---|
204 |
Authorized |
403 |
Forbidden |
Check if the service is healthy.
| Status | Description |
|---|---|
204 |
Healthy |
Returns metrics in JSON format.
-
MIME type:
application/json -
Properties:
denied: Number of denied requestsallowed: Number of allowed requestsinvalid: Number of invalid requeststotal: Total number of requests
-
Example:
{"denied": 0, "allowed": 0, "invalid": 0, "total": 0}
Note
Environment variables are intended primarily to be used when running Geoblock locally during development. It is discouraged to set or modify their values when running the Docker image. Instead, use mounts or remap ports as needed.
The following environment variables can be used to configure Geoblock:
| Variable | Description | Default |
|---|---|---|
GEOBLOCK_CONFIG |
Path to the configuration file | ./config.yaml |
GEOBLOCK_PORT |
Port to listen on | 8080 |
GEOBLOCK_LOG_LEVEL |
Log level | info |
Supported log levels are: trace, debug, info, warn, error, fatal or
panic.
Start geoblock with the provided example configuration:
GEOBLOCK_CONFIG=examples/config.yaml GEOBLOCK_PORT=8080 GEOBLOCK_LOG_LEVEL=debug make runGET http://localhost:8080/v1/forward-authGET http://localhost:8080/v1/forward-auth
X-Forwarded-For: 127.0.0.1
X-Forwarded-Method: GETGET http://localhost:8080/v1/forward-auth
X-Forwarded-Host: example.com
X-Forwarded-Method: GETGET http://localhost:8080/v1/forward-auth
X-Forwarded-For: 8.8.8.8
X-Forwarded-Host: example.comGET http://localhost:8080/v1/forward-auth
X-Forwarded-For: 8.8.8.8
X-Forwarded-Host: example.org
X-Forwarded-Method: GETGET http://localhost:8080/v1/forward-auth
X-Forwarded-For: 8.8.8.8
X-Forwarded-Host: example.com
X-Forwarded-Method: GETGET http://localhost:8080/v1/metrics- Support environment variables
- Docker image
- Publish Docker image
- Auto-update databases
- Auto-reload configuration
- Add metrics
- Write documentation
- Add e2e tests
- Cache responses
-
Cache databases -
Support command line arguments