geoblock

module
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 30, 2025 License: AGPL-3.0

README

Geoblock

Block clients based on their country, ASN, or network.

Table of contents

Introduction

Geoblock is a lightweight authorization service that restricts client access based on:

  • Client's country
  • Client's IP address
  • Client's ASN (Autonomous System Number)
  • Requested domain
  • Requested method

It works as a forward-authentication service that can be used with reverse proxies such as Traefik, NGINX, and Caddy.

Features

  • Flexible: Allows you to define access control rules based on countries, domains, methods, networks, and ASNs.

  • Auto-reload: Automatically reloads the configuration file when it changes.

  • Auto-update: Automatically updates the GeoLite2 databases every day.

  • Metrics: Exposes simple metrics to monitor the service and build dashboards.

Deployment

Geoblock should be deployed as a forward authentication service that integrates with your existing reverse proxy.

flowchart TD
  Client
  Proxy["Reverse Proxy"]
  App
  Geoblock

  Client --->|Request| Proxy
  Proxy --->|Authorize request?| Geoblock
  Geoblock -..->|Yes / No| Proxy
  Proxy -..->|Return error if not authorized| Client
  Proxy --->|Forward request if authorized| App

Examples:

Configuration

Geoblock uses a single configuration file (/etc/geoblock/config.yaml by default) to set access control rules. Rules are evaluated sequentially, applying the first match per request. If no rules match, the default policy applies.

A rule matches if all specified conditions are met. Rules can include one or more of the following criteria:

  • countries: List of country codes (ISO 3166-1 alpha-2)
  • domains: List of domain names
  • methods: List of HTTP methods
  • networks: List of IP ranges in CIDR notation
  • autonomous_systems: List of ASNs

Example configuration file:

---
access_control:
  # Default action when no rules match ("allow" or "deny").
  default_policy: deny

  # List of access rules, evaluated in order. The first matching rule’s
  # policy is applied. If no rule matches, the default policy is used.
  #
  # IMPORTANT: Replace these example rules with your own rules.
  rules:
    # Allow access from internal/private networks.
    - networks:
        - 10.0.0.0/8
        - 127.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
      policy: allow

    # Deny access for clients from ASNs 1234 and 5678.
    - autonomous_systems:
        - 1234
        - 5678
      policy: deny

    # Allow access to any domain from clients in Germany (DE).
    - countries:
        - DE
      policy: allow

    # Allow access to example.com and example.org from clients in
    # France (FR) and the United States (US) using the GET or POST HTTP
    # methods.
    - domains:
        - example.com
        - example.org
      countries:
        - FR
        - US
      methods:
        - GET
        - POST
      policy: allow

Environment variables

[!NOTE] Environment variables are intended primarily to be used when running Geoblock locally during development. It is discouraged to set or modify their values when running the Docker image. Instead, use mounts or remap ports as needed.

The following environment variables can be used to configure Geoblock:

Variable Description Default
GEOBLOCK_CONFIG Path to the configuration file /etc/geoblock/config.yaml
GEOBLOCK_PORT Port to listen on 8080
GEOBLOCK_LOG_LEVEL Log level info

Supported log levels are: trace, debug, info, warn, error, fatal, or panic.

HTTP API

The following HTTP endpoints are exposed by Geoblock.

GET /v1/forward-auth

Check if a client is authorized to access a domain.

Request:

Header Required Description
X-Forwarded-For Yes Client's IP address
X-Forwarded-Host Yes Requested domain
X-Forwarded-Method Yes Requested HTTP method

Response:

Status Description
204 Authorized
403 Forbidden

GET /v1/health

Check if the service is healthy.

Response:

Status Description
204 Healthy

GET /v1/metrics

Returns metrics in JSON format.

Response:

  • MIME type: application/json

  • Properties:

    • version: Application version string
    • requests: Object containing request count metrics
      • allowed: Number of allowed requests
      • denied: Number of denied requests
      • invalid: Number of invalid requests
      • total: Total number of requests

  • Example:

    {
  "version": "0.2.0",
  "requests": {
    "allowed": 3,
    "denied": 2,
    "invalid": 1,
    "total": 6
  }
}

Attribution

Directories

Path Synopsis
cmd
geoblock command
Package main contains the main geoblock application.
 Package main contains the main geoblock application.
internal
config
Package config contains the schema and helper functions to work with the configuration file.
 Package config contains the schema and helper functions to work with the configuration file.
ipres
Package ipres provides an IP resolver that returns information about an IP address.
 Package ipres provides an IP resolver that returns information about an IP address.
itree
Package itree provides an interval tree implementation.
 Package itree provides an interval tree implementation.
metrics
Package metrics provides the metrics for the application.
 Package metrics provides the metrics for the application.
rules
Package rules contains all rules related logic.
 Package rules contains all rules related logic.
server
Package server contains the HTTP authorization server.
 Package server contains the HTTP authorization server.
utils/glob
Package glob provides simple globbing functions.
 Package glob provides simple globbing functions.
version
Package version provides version information for the application.
 Package version provides version information for the application.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.