Geoip2 Load Balancer

From TMM Wiki
Revision as of 13:58, 21 November 2024 by TMM Rich (talk | contribs) (Created page with "* Some of our clients are load balancing webservers, and have found that GeoIP2 setup may need additional steps/tweaks to work with loadbalancers & AWS * As a courtesy a set o...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search
  • Some of our clients are load balancing webservers, and have found that GeoIP2 setup may need additional steps/tweaks to work with loadbalancers & AWS
  • As a courtesy a set of steps have been provided that allowed the 'GEOIP2_PHP' IP_FILTER config setting to work for them
  • Please note these steps may not work 100% for all setups and may need to be adjusted based on your own server configuration.
  • Please refer to your host for any setup questions/issues with these instructions

MaxMind Configuration Behind AWS Load Balancer

When using MaxMind GeoIP with Apache behind an AWS Load Balancer (ALB/ELB), additional configuration is required to ensure correct IP geolocation. By default, MaxMind will see the Load Balancer's IP address rather than the actual client IP. This document outlines the necessary configuration steps.

Required Configuration

1.) First, ensure mod_remoteip is enabled on your Apache server: 

sudo a2enmod remoteip

2.) Add the following configuration to your Apache configuration file (before the MaxMind configuration): 

# Load the remoteip module
LoadModule remoteip_module modules/mod_remoteip.so

# Configure RemoteIP for AWS Load Balancer
RemoteIPHeader X-Forwarded-For
# Trust AWS internal IP ranges
RemoteIPInternalProxy 10.0.0.0/8
RemoteIPInternalProxy 172.16.0.0/12
RemoteIPInternalProxy 192.168.0.0/16

# Your existing MaxMind configuration
<IfModule mod_maxminddb.c>
MaxMindDBEnable On
MaxMindDBFile COUNTRY_DB /usr/share/GeoIP/GeoLite2-Country.mmdb
MaxMindDBEnv COUNTRY_CODE COUNTRY_DB/country/iso_code
MaxMindDBEnv GEOIP_COUNTRY_CODE COUNTRY_DB/country/iso_code
MaxMindDBFile CITY_DB /usr/share/GeoIP/GeoLite2-City.mmdb
MaxMindDBEnv REGION_CODE CITY_DB/subdivisions/0/iso_code
</IfModule>

3.) Restart Apache to apply the changes: 

sudo systemctl restart apache2

Verification

You can verify the configuration is working by:

1.) Creating a test PHP file: 

<?php
echo "Client IP (REMOTE_ADDR): " . $_SERVER['REMOTE_ADDR'] . "\n";
echo "X-Forwarded-For: " . ($_SERVER['HTTP_X_FORWARDED_FOR'] ?? 'Not set') . "\n";
echo "MaxMind IP (MMDB_ADDR): " . ($_SERVER['MMDB_ADDR'] ?? 'Not set') . "\n";
echo "Country Code: " . ($_SERVER['COUNTRY_CODE'] ?? 'Not set') . "\n";

2.) Check Apache error logs for any issues: 

sudo tail -f /var/log/apache2/error.log

Common Issues

  • No Geolocation Data: If you're still seeing no geolocation data:

1.) Verify mod_remoteip is enabled (apache2ctl -M | grep remoteip) 2.) Check the MaxMind database files exist and are readable by Apache 3.) Verify the X-Forwarded-For header is being passed by the load balancer

  • Wrong Location Data: If you're seeing incorrect location data:

1.) Verify the RemoteIPInternalProxy directives cover all your load balancer IPs 2.) Check if there are any intermediate proxies modifying the X-Forwarded-For header

Security Considerations

  • The RemoteIPInternalProxy directives tell Apache which IP ranges to trust for X-Forwarded-For headers
  • Only include IP ranges that correspond to your AWS infrastructure
  • Consider restricting the ranges further if you know the specific VPC CIDR blocks in use

Additional Notes

  • This configuration assumes a standard AWS Load Balancer setup
  • If using a custom proxy setup or different cloud provider, the RemoteIPInternalProxy ranges may need adjustment
  • Regular updates to the MaxMind database files are recommended for accurate geolocation
Retrieved from "https://tmmwiki.com/index.php?title=Geoip2_Load_Balancer&oldid=29889"