GeoIP Location in Varnish

Posted on May 23, 2016 - July 2, 2017 by Mr. Reboot

Tested on Ubuntu 14 / Varnish 4

First install packages and libraries needed, you must use the varnish official repositories:

~ $ sudo apt-get install varnish varnish-dev git-core libgeoip-dev apt-transport-https libtool python-docutils automake make

Then download geoip vmod and compile it:

~ $ cd /usr/src/
~ $ git clone https://github.com/varnish/libvmod-geoip
~ $ cd libvmod-geoip
~ $ ./autogen.sh
~ $ ./configure
~ $ make
~ $ make install

Vmod will be installed in /usr/lib/varnish/vmods/.

TIP: The geoip database from repositories is a little bit outdated, so you can download the MaxMind free database to get better results:

~ $ cd /usr/share/GeoIP/
~ $ mv GeoIP.dat GeoIP.dat.old
~ $ wget -O GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
~ $ gunzip GeoIP.dat.gz

Now in order to use its functions, first import the module in default.vcl file:

import geoip;

Then configure vmod geoip in varnish for blocking by country, for example if you want block China and Russia, in vcl_recv add first:

set req.http.X-Country-Code = geoip.country_code("" + client.ip);

to set the country code, and then to ban the country(s):

if (req.http.X-Country-Code ~ "(CN|RU)" ) {
        return (synth(403, "Forbidden"));
}

Now in vcl_synth, add something like this:

if (resp.status == 403) {
        synthetic( {"<!DOCTYPE html>
        <html>
        <head>
        <title>Forbidden</title> 
        </head>
        <body>
        <h1>Forbidden</h1>
        </body>
        </html>
        "} ) 
};

Finally reload varnish:

~ $ /etc/init.d/varnish reload

7 Comments

Luigi says:

July 1, 2017 at 8:54 pm

I have this error in compiling :

# make
make all-recursive
make[1]: Entering directory ‘/root/libvmod-geoip’
Making all in src
make[2]: Entering directory ‘/root/libvmod-geoip/src’
make[2]: Nothing to be done for ‘all’.
make[2]: Leaving directory ‘/root/libvmod-geoip/src’
make[2]: Entering directory ‘/root/libvmod-geoip’
========================================
You need rst2man installed to make dist
========================================
Makefile:939: recipe for target ‘vmod_geoip.3’ failed
make[2]: *** [vmod_geoip.3] Error 1
make[2]: Leaving directory ‘/root/libvmod-geoip’
Makefile:516: recipe for target ‘all-recursive’ failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory ‘/root/libvmod-geoip’
Makefile:384: recipe for target ‘all’ failed
make: *** [all] Error 2

Do you have any idea ?

Reply
1. Mr. Reboot says:
  
  July 2, 2017 at 10:05 am
  
  Error es caused for a packet missed, try:
  
  apt-get install python-docutils
  
  It contains rst2man tool, for documentation. Then execute ./configure, make clean and make, it should be working now without errors.
  
  Reply
Shannon says:

July 26, 2017 at 11:29 pm

Thanks for this post!

I am getting the following error:

make[2]: Entering directory `/usr/src/libvmod-geoip/src’
/usr/share/varnish/vmodtool.py ../src/vmod_geoip.vcc
/bin/bash ../libtool –tag=CC –mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -Wall -Wextra -Werror -g -O2 -MT vcc_if.lo -MD -MP -MF .deps/vcc_if.Tpo -c -o vcc_if.lo vcc_if.c
libtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -Wall -Wextra -Werror -g -O2 -MT vcc_if.lo -MD -MP -MF .deps/vcc_if.Tpo -c vcc_if.c -fPIC -DPIC -o .libs/vcc_if.o
libtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -Wall -Wextra -Werror -g -O2 -MT vcc_if.lo -MD -MP -MF .deps/vcc_if.Tpo -c vcc_if.c -o vcc_if.o >/dev/null 2>&1
mv -f .deps/vcc_if.Tpo .deps/vcc_if.Plo
/bin/bash ../libtool –tag=CC –mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -Wall -Wextra -Werror -g -O2 -MT vmod_geoip.lo -MD -MP -MF .deps/vmod_geoip.Tpo -c -o vmod_geoip.lo vmod_geoip.c
libtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -Wall -Wextra -Werror -g -O2 -MT vmod_geoip.lo -MD -MP -MF .deps/vmod_geoip.Tpo -c vmod_geoip.c -fPIC -DPIC -o .libs/vmod_geoip.o
vmod_geoip.c:21:48: error: ‘enum vcl_event_e’ declared inside parameter list [-Werror]
vmod_event(VRT_CTX, struct vmod_priv *pp, enum vcl_event_e evt)
^
vmod_geoip.c:21:48: error: its scope is only this definition or declaration, which is probably not what you want [-Werror]
vmod_geoip.c:21:60: error: parameter 3 (‘evt’) has incomplete type
vmod_event(VRT_CTX, struct vmod_priv *pp, enum vcl_event_e evt)
^
In file included from /usr/include/varnish/common/common.h:37:0,
from /usr/include/varnish/cache/cache.h:37,
from vmod_geoip.c:16:
vmod_geoip.c: In function ‘vmod_event’:
vmod_geoip.c:27:20: error: ‘VCL_EVENT_LOAD’ undeclared (first use in this function)
xxxassert(evt == VCL_EVENT_LOAD);
^
/usr/include/varnish/vas.h:68:8: note: in definition of macro ‘xxxassert’
if (!(e)) { \
^
vmod_geoip.c:27:20: note: each undeclared identifier is reported only once for each function it appears in
xxxassert(evt == VCL_EVENT_LOAD);
^
/usr/include/varnish/vas.h:68:8: note: in definition of macro ‘xxxassert’
if (!(e)) { \
^
vmod_geoip.c:21:60: error: unused parameter ‘evt’ [-Werror=unused-parameter]
vmod_event(VRT_CTX, struct vmod_priv *pp, enum vcl_event_e evt)
^
cc1: all warnings being treated as errors
make[2]: *** [vmod_geoip.lo] Error 1
make[2]: Leaving directory `/usr/src/libvmod-geoip/src’
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/src/libvmod-geoip’
make: *** [all] Error 2

Reply
Shannon says:

July 26, 2017 at 11:59 pm

Problem solved! I need to checkout the branch with my Varnish version.

Reply
1. Mr. Reboot says:
  
  July 27, 2017 at 8:25 pm
  
  Perfect!, and thanks for post the solution!
  
  Reply
Paras Haria says:

December 11, 2018 at 12:32 pm

I have recently installed Varnish GeoIP on our Centos box and i have added import geoip; plus some additional syntax to our default.vcl file. When i test the file, the file output, so all appears to be in order.

But when i reload varnish, i get the following – can anyone shed some light on this?

Dec 11 11:00:07 email.londonpersona.com varnishd[14403]: Child (4841) Last panic at: Tue, 11 Dec 2018 11:00:07 GMT
“Assert error in vmod_event(), vmod_geoip.c line 35:
Condition((pp->priv) != 0) not true.
errno = 2 (No such file or directory)
thread = (cache-main)
version = varnish-4.1.10 revision
1d090c5a08f41c36562644bafcce9d3cb85d824f
ident =
Linux,3.10.0-862.11.6.el7.x86_64,x86_64,-junix,-smalloc,-smalloc,-hcritbit,epoll
now = 4149011.228936 (mono), 1544526007.863266 (real)
Backtrace:
0x4352f2: pan_ic+0x192
0x7fae9c3f3bf5: libvmod_geoip.so(+0xbf5) [0x7fae9c3f3bf5]
0x7fae9c5f9e2c: vgc.so(+0x3e2c) [0x7fae9c5f9e2c]
0x4413db: ccf_config_load+0x18b
0x7faeafc97ed1: libvarnish.so(+0x6ed1) [0x7faeafc97ed1]
0x7faeafc9830b: libvarnish.so(+0x730b) [0x7faeafc9830b]
0x7faeafc9d898: libvarnish.so(VLU_Fd+0xd8) [0x7faeafc9d898]
0x7faeafc98fa3: libvarnish.so(VCLS_Poll+0x143)
[0x7faeafc98fa3]
0x41b5e1: CLI_Run+0x41
0x43159d: child_main+0x15d
“

Reply
Mr. Reboot says:

December 15, 2018 at 5:45 pm

Hi Paras.

I tried the following steps and it worked fine (centos 7 / varnish 4.1):

– Add varnish 4.1 repo from official site https://packagecloud.io/varnishcache/varnish41/install#manual-rpm

– Then install packages and dependences, and compile:

# yum install varnish varnish-libs-devel GeoIP-devel libtool file make git
# cd /usr/src
# git clone https://github.com/varnish/libvmod-geoip
# cd libvmod-geoip/
# ./autogen.sh
# ./configure
# make
# make install

– Check that vmod was installed:

# ls -lha /usr/lib64/varnish/vmods

– Add module in vcl:

# import geoip;

– Restart varnish:

# systemctl restart varnish.service

Let me know if works for you.

Reply