Merge pull request #119 from UKHomeOffice/geoip2

Geoip2

Author: gambol99

.gitignore

@@ -1,2 +1,3 @@
 .idea
-/tmp/*
+/tmp/*
+*.swp

Dockerfile

@@ -1,5 +1,4 @@
 FROM quay.io/ukhomeofficedigital/centos-base:latest
-
 MAINTAINER Lewis Marshall <[email protected]>
 
 WORKDIR /root
@@ -18,10 +17,8 @@ RUN yum install -y bind-utils dnsmasq && \
     yum clean all
 
 ADD ./naxsi/location.rules /usr/local/openresty/naxsi/location.template
-
 ADD ./nginx*.conf /usr/local/openresty/nginx/conf/
-RUN mkdir /usr/local/openresty/nginx/conf/locations
-RUN mkdir -p /usr/local/openresty/nginx/lua
+RUN mkdir -p /usr/local/openresty/nginx/conf/locations /usr/local/openresty/nginx/lua
 ADD ./lua/* /usr/local/openresty/nginx/lua/
 RUN md5sum /usr/local/openresty/nginx/conf/nginx.conf | cut -d' ' -f 1 > /container_default_ngx
 ADD ./defaults.sh /
@@ -32,21 +29,21 @@ ADD ./logging.conf /usr/local/openresty/nginx/conf/
 ADD ./html/ /usr/local/openresty/nginx/html/
 ADD ./readyness.sh /
 ADD ./helper.sh /
-ADD ./refresh_GeoIP.sh /
+ADD ./refresh_geoip.sh /
 
 RUN yum remove -y kernel-headers && \
     yum clean all
 
 RUN useradd -u 1000 nginx && \
-    install -o nginx -g nginx -d /usr/local/openresty/naxsi/locations \
-                                 /usr/local/openresty/nginx/{client_body,fastcgi,proxy,scgi,uwsgi}_temp && \
-    chown -R nginx:nginx /usr/local/openresty/nginx/{conf,logs} \
-                         /usr/share/GeoIP
+    install -o nginx -g nginx -d \
+      /usr/local/openresty/naxsi/locations \
+      /usr/local/openresty/nginx/{client_body,fastcgi,proxy,scgi,uwsgi}_temp && \
+    chown -R nginx:nginx /usr/local/openresty/nginx/{conf,logs} /usr/share/GeoIP
 
 WORKDIR /usr/local/openresty
 
-ENTRYPOINT ["/go.sh"]
+EXPOSE 10080 10443
 
-EXPOSE 10080
-EXPOSE 10443
 USER 1000
+
+ENTRYPOINT [ "/go.sh" ]

build.sh

@@ -4,17 +4,25 @@
 set -eu
 set -o pipefail
 
-OPEN_RESTY_URL='http://openresty.org/download/openresty-1.11.2.4.tar.gz'
+GEOIP_CITY_URL='http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz'
+GEOIP_COUNTRY_URL='http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz'
+GEOIP_MOD_URL='https://github.com/leev/ngx_http_geoip2_module/archive/3.0.tar.gz'
+GEOIP_UPDATE_CLI='https://github.com/maxmind/geoipupdate/releases/download/v3.1.1/geoipupdate-3.1.1.tar.gz'
+GEOIP_URL='https://github.com/maxmind/libmaxminddb/releases/download/1.3.2/libmaxminddb-1.3.2.tar.gz'
 LUAROCKS_URL='http://luarocks.org/releases/luarocks-2.4.2.tar.gz'
 NAXSI_URL='https://github.com/nbs-system/naxsi/archive/0.56.tar.gz'
+OPEN_RESTY_URL='http://openresty.org/download/openresty-1.11.2.4.tar.gz'
 STATSD_URL='https://github.com/UKHomeOffice/nginx-statsd/archive/0.0.1.tar.gz'
-GEOIP_URL='https://github.com/maxmind/geoip-api-c/releases/download/v1.6.11/GeoIP-1.6.11.tar.gz'
+
+MAXMIND_PATH='/usr/share/GeoIP'
 
 # Install dependencies to build from source
 yum -y install \
     gcc-c++ \
     gcc \
+    git \
     make \
+    libcurl-devel \
     openssl-devel \
     openssl \
     perl \
@@ -25,57 +33,69 @@ yum -y install \
     unzip \
     wget
 
-mkdir -p openresty luarocks naxsi nginx-statsd geoip
+mkdir -p openresty luarocks naxsi nginx-statsd geoip geoipupdate ngx_http_geoip2_module
 
 # Prepare
-wget -qO - "$OPEN_RESTY_URL" | tar xzv --strip-components 1 -C openresty/
-wget -qO - "$LUAROCKS_URL"   | tar xzv --strip-components 1 -C luarocks/
-wget -qO - "$NAXSI_URL"      | tar xzv --strip-components 1 -C naxsi/
-wget -qO - "$STATSD_URL"     | tar xzv --strip-components 1 -C nginx-statsd/
-wget -qO - "$GEOIP_URL"      | tar xzv --strip-components 1 -C geoip/
+wget -qO - "$OPEN_RESTY_URL"   | tar xzv --strip-components 1 -C openresty/
+wget -qO - "$LUAROCKS_URL"     | tar xzv --strip-components 1 -C luarocks/
+wget -qO - "$NAXSI_URL"        | tar xzv --strip-components 1 -C naxsi/
+wget -qO - "$STATSD_URL"       | tar xzv --strip-components 1 -C nginx-statsd/
+wget -qO - "$GEOIP_URL"        | tar xzv --strip-components 1 -C geoip/
+wget -qO - "$GEOIP_UPDATE_CLI" | tar xzv --strip-components 1 -C geoipupdate/
+wget -qO - "$GEOIP_MOD_URL"    | tar xzv --strip-components 1 -C ngx_http_geoip2_module/
 
-# Build!
+# Build
 pushd geoip
+mkdir -p ${MAXMIND_PATH}
 ./configure
-make
 make check install
+echo "/usr/local/lib" >> /etc/ld.so.conf.d/libmaxminddb.conf
+curl -fSL ${GEOIP_COUNTRY_URL} | gzip -d > ${MAXMIND_PATH}/GeoLite2-Country.mmdb
+curl -fSL ${GEOIP_CITY_URL} | gzip -d > ${MAXMIND_PATH}/GeoLite2-City.mmdb
+chown -R 1000:1000 ${MAXMIND_PATH}
 popd
-rm -fr geoip
+
+pushd geoipupdate
+./configure
+make check install
+popd
+
+# check maxmind module
+echo "Checking libmaxminddb module"
+ldconfig && ldconfig -p | grep libmaxminddb
 
 pushd openresty
-./configure --add-module="../naxsi/naxsi_src" \
+./configure --add-dynamic-module="/root/ngx_http_geoip2_module" \
+            --add-module="../naxsi/naxsi_src" \
             --add-module="../nginx-statsd" \
             --with-http_realip_module \
-            --with-http_geoip_module \
             --with-http_stub_status_module
-make
 make install
 popd
 
 # Install NAXSI default rules...
 mkdir -p /usr/local/openresty/naxsi/
 cp "./naxsi/naxsi_config/naxsi_core.rules" /usr/local/openresty/naxsi/
 
-rm -fr openresty naxsi nginx-statsd
-
 pushd luarocks
 ./configure --with-lua=/usr/local/openresty/luajit \
-    --lua-suffix=jit-2.1.0-beta2 \
-    --with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1
+            --lua-suffix=jit-2.1.0-beta2 \
+            --with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1
 make build install
 popd
-rm -fr luarocks
 
 luarocks install uuid
 luarocks install luasocket
-luarocks install lua-geoip
 
 # Remove the developer tooling
+rm -fr openresty naxsi nginx-statsd geoip luarocks ngx_http_geoip2_module
 yum -y remove \
     gcc-c++ \
     gcc \
+    git \
     make \
     openssl-devel \
+    libcurl-devel \
     perl \
     pcre-devel \
     readline-devel

ci-build.sh

@@ -14,7 +14,7 @@ MUTUAL_TLS="mutual-tls-${BUILD_NUMBER}"
 STANDARD_TLS="standard-tls-${BUILD_NUMBER}"
 MOCKSERVER_PORT=9000
 SLOWMOCKSERVER_PORT=9001
-WORKDIR="/workdir/src/github.com/UKHomeOffice/docker-nginx-proxy"
+WORKDIR="${PWD}"
 
 function tear_down_container() {
     container=$1
@@ -91,7 +91,7 @@ docker build -t ${TAG} .
 echo "travis_fold:end:BUILD"
 
 echo "Running mocking-server..."
-docker build -t mockserver:latest /workdir/src/github.com/UKHomeOffice/docker-nginx-proxy -f docker-config/Dockerfile.mockserver
+docker build -t mockserver:latest ${WORKDIR} -f docker-config/Dockerfile.mockserver
 ${STD_CMD} -d \
            --name="${MOCKSERVER}" mockserver:latest \
            -config=/test-servers.yaml \
@@ -100,7 +100,7 @@ ${STD_CMD} -d \
 docker run --rm --link "${MOCKSERVER}:${MOCKSERVER}" martin/wait -c "${MOCKSERVER}:${MOCKSERVER_PORT}"
 
 echo "Running slow-mocking-server..."
-docker build -t slowmockserver:latest /workdir/src/github.com/UKHomeOffice/docker-nginx-proxy -f docker-config/Dockerfile.slowmockserver
+docker build -t slowmockserver:latest ${WORKDIR} -f docker-config/Dockerfile.slowmockserver
 ${STD_CMD} -d \
            --name="${SLOWMOCKSERVER}" slowmockserver:latest \
            -config=/test-servers.yaml \
@@ -147,19 +147,12 @@ start_test "Test GEODB settings can reject..." "${STD_CMD} \
            -e \"ADD_NGINX_LOCATION_CFG=error_page 403 /nginx-proxy/50x.shtml;\" \
            --link \"${MOCKSERVER}:${MOCKSERVER}\" "
 echo "Test GeoIP config IS rejected..."
-if ! curl -v -k https://${DOCKER_HOST_NAME}:${PORT}/ 2>&1 \/ | grep '403 Forbidden' ; then
+if ! curl -v -k -H "X-Forwarded-For: 1.1.1.1" https://${DOCKER_HOST_NAME}:${PORT}/ 2>&1 \/ | grep '403 Forbidden' ; then
   echo "We were expecting to be rejected with 403 error here - we are not in the Congo!"
   exit 2
 else
   echo "Rejected as expected - we are not in the Congo!"
 fi
-if ! curl -v -k https://${DOCKER_HOST_NAME}:${PORT}/ 2>&1 \
-  | grep 'An error occurred' ; then
-  echo "We were expecting to be rejected specific content for invalid country - we are not in the Congo!"
-  exit 2
-else
-  echo "Rejected with correct content as expected."
-fi
 
 start_test "Test rate limits 1 per second" "${STD_CMD} \
            -e \"PROXY_SERVICE_HOST=http://${MOCKSERVER}\" \
@@ -283,7 +276,7 @@ wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${P
      --private-key=./client_certs/client.key
 
 echo "Test upstream client certs..."
-docker build -t mutual-tls:latest /workdir/src/github.com/UKHomeOffice/docker-nginx-proxy -f docker-config/Dockerfile.mutual-tls
+docker build -t mutual-tls:latest ${WORKDIR} -f docker-config/Dockerfile.mutual-tls
 ${STD_CMD} -d \
            -e "PROXY_SERVICE_HOST=http://www.w3.org" \
            -e "PROXY_SERVICE_PORT=80" \
@@ -306,7 +299,7 @@ wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${P
 tear_down_container "${MUTUAL_TLS}"
 
 echo "Test failure to verify upstream server cert..."
-docker build -t standard-tls:latest /workdir/src/github.com/UKHomeOffice/docker-nginx-proxy -f docker-config/Dockerfile.standard-tls
+docker build -t standard-tls:latest ${WORKDIR} -f docker-config/Dockerfile.standard-tls
 ${STD_CMD} -d \
            -e "PROXY_SERVICE_HOST=http://www.w3.org" \
            -e "PROXY_SERVICE_PORT=80" \

defaults.sh

@@ -21,7 +21,6 @@ cat > ${NGIX_CONF_DIR}/server_certs.conf <<-EOF_CERT_CONF
     ssl_dhparam ${NGIX_CONF_DIR}/dhparam.pem;
 EOF_CERT_CONF
 
-
 if [ "${LOCATIONS_CSV}" == "" ]; then
     LOCATIONS_CSV=/
 fi
@@ -113,10 +112,10 @@ fi
 
 if [ -f /etc/keys/client-ca ]; then
     msg "Loading client certs."
-	cat > ${NGIX_CONF_DIR}/client_certs.conf <<-EOF_CLIENT_CONF
-		ssl_client_certificate /etc/keys/client-ca;
-		ssl_verify_client optional;
-	EOF_CLIENT_CONF
+    cat > ${NGIX_CONF_DIR}/client_certs.conf <<-EOF_CLIENT_CONF
+      ssl_client_certificate /etc/keys/client-ca;
+      ssl_verify_client optional;
+EOF_CLIENT_CONF
 else
     msg "No client certs mounted - not loading..."
 fi
@@ -148,7 +147,7 @@ case "${LOG_FORMAT_NAME}" in
 					ngx.var.response_body = ngx.ctx.buffered
 				end
 			';
-		EOF-LOGGING-BODY-TRUE
+EOF-LOGGING-BODY-TRUE
         fi
 
         echo "map \$request_uri \$loggable { ~^/nginx_status/  0; default 1;}">>${NGIX_CONF_DIR}/logging.conf #remove logging for the sysdig agent.
@@ -171,24 +170,54 @@ if [ "${ADD_NGINX_HTTP_CFG}" != "" ]; then
 fi
 
 GEO_CFG="${NGIX_CONF_DIR}/nginx_geoip.conf"
+GEO_CFG_INIT="${NGIX_CONF_DIR}/nginx_geoip_init.conf"
+GEO_CFG_CONFIG="${NGIX_CONF_DIR}/nginx_geoip.conf"
+
 if [ "${ALLOW_COUNTRY_CSV}" != "" ]; then
-    msg "Enabling Country codes detection:${ALLOW_COUNTRY_CSV}..."
-	cat > ${NGIX_CONF_DIR}/nginx_geoip_init.conf <<-EOF-GEO-INIT
-	init_by_lua '
-		country = require "country"
-		country:init()
-	';
-	EOF-GEO-INIT
-    echo "set_by_lua_file \$country_code /usr/local/openresty/nginx/lua/get_country.lua \"\$${REMOTE_IP_VAR}\";">>${GEO_CFG}
-
-    # Set up base data as that from yum package...
-    ln -s /usr/share/GeoIP/GeoIP.dat /usr/share/GeoIP/GeoLiteCountry.dat
-
-    # Refresh in background...
-    /refresh_GeoIP.sh &
+    msg "Enabling Country codes detection: ${ALLOW_COUNTRY_CSV}"
+
+    cat > $GEO_CFG_INIT <<-EOF
+geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
+  auto_reload 21600;
+  \$geoip2_metadata_country_build metadata build_epoch;
+  \$geoip2_data_country_code default=NA source=\$realip country iso_code;
+  \$geoip2_data_country_name country names en;
+}
+
+geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
+  \$geoip2_data_city_name default=NA city names en;
+}
+
+geoip2_proxy_recursive on;
+geoip2_proxy 0.0.0.0/0;
+
+map \$geoip2_data_country_code \$allowed_country {
+  default no;
+  NA yes;
+  $(echo -n "${ALLOW_COUNTRY_CSV}" | awk -F',' "{ for (i=1; i<=NF; i++) { printf \"%s yes;\n\", \$i; }}")
+}
+
+EOF
+    cat > $GEO_CFG_CONFIG <<EOF
+# use either the remote addr or the x-forwarded-for header
+set \$realip \$remote_addr;
+if (\$http_x_forwarded_for ~ "^(\d+\.\d+\.\d+\.\d+)") {
+  set \$realip \$1;
+}
+set \$country_code \$geoip2_data_country_code;
+
+# check if the country is allowed and deny
+if (\$allowed_country = no) {
+  return 403;
+}
+
+EOF
+    /refresh_geoip.sh&
+    msg "Enabling the geoip refresh background job"
 else
+    touch ${GEO_CFG_CONFIG}
+    touch ${GEO_CFG_INIT}
     touch ${GEO_CFG}
-    touch ${NGIX_CONF_DIR}/nginx_geoip_init.conf
 fi
 
 if [ "${STATSD_METRICS_ENABLED}" = "TRUE" ]; then
@@ -197,5 +226,4 @@ if [ "${STATSD_METRICS_ENABLED}" = "TRUE" ]; then
     echo "statsd_count \"waf.status.\$status\" 1;" > ${NGIX_CONF_DIR}/nginx_statsd_metrics.conf
 fi
 
-
 eval "${NGINX_BIN} -g \"daemon off;\""