apache2のgeoipで日本以外のアクセスをブロックする

たぶんiPhoneのicloud+のプライベートアクセスも判定できるはず。

# cat /etc/os-release

PRETTY_NAME="Ubuntu 24.04.1 LTS"

NAME="Ubuntu"

VERSION_ID="24.04"

VERSION="24.04.1 LTS (Noble Numbat)"

VERSION_CODENAME=noble

ID=ubuntu

ID_LIKE=debian

HOME_URL="https://www.ubuntu.com/"

SUPPORT_URL="https://help.ubuntu.com/"

BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"

PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"

UBUNTU_CODENAME=noble

LOGO=ubuntu-logo

setup_geoip_restriction.sh

#!/bin/bash

# エラーが発生したら停止

set -e

echo "Starting GeoIP restriction setup..."

# 必要なパッケージのインストール

echo "Installing required packages..."

sudo apt-get update

sudo apt-get install -y libapache2-mod-geoip geoip-database geoip-bin

# Apacheモジュールの有効化

echo "Enabling Apache modules..."

sudo a2enmod geoip

sudo a2enmod remoteip

sudo a2enmod headers

# GeoIP設定ファイルの作成

echo "Creating GeoIP configuration..."

sudo tee /etc/apache2/conf-available/geoip-japan.conf << 'EOF'

# グローバルGeoIP設定

GeoIPEnable On

GeoIPDBFile /usr/share/GeoIP/GeoIP.dat

# すべてのリクエストに適用されるGeoIPルール

<Location />

    Order deny,allow

    Deny from all

    # ローカルホストは常に許可

    Allow from 127.0.0.1

    Allow from ::1

    # 日本からのアクセスのみ許可

    SetEnvIf GEOIP_COUNTRY_CODE JP AllowCountry

    SetEnvIfNoCase CF-IPCountry ^JP$ AllowCountry

    Allow from env=AllowCountry

</Location>

EOF

# RemoteIP設定ファイルの作成

echo "Creating RemoteIP configuration..."

sudo tee /etc/apache2/conf-available/remoteip.conf << 'EOF'

RemoteIPHeader X-Forwarded-For

RemoteIPHeader CF-Connecting-IP

RemoteIPInternalProxy 127.0.0.1

RemoteIPInternalProxy ::1

RemoteIPTrustedProxy 127.0.0.1

RemoteIPTrustedProxy ::1

EOF

# 設定の有効化

echo "Enabling configurations..."

sudo a2enconf geoip-japan

sudo a2enconf remoteip

# Apacheの再起動

echo "Restarting Apache..."

sudo systemctl restart apache2

# テストの実行

echo -e "\nRunning tests..."

echo -e "\n1. Testing direct access from localhost:"

curl http://localhost/

echo -e "\n2. Testing Japanese IP (via X-Forwarded-For):"

curl -H "X-Forwarded-For: 126.1.1.1" http://localhost/

echo -e "\n3. Testing US IP (via X-Forwarded-For):"

curl -H "X-Forwarded-For: 8.8.8.8" http://localhost/

echo -e "\n4. Testing Japanese access via Cloudflare:"

curl -H "CF-IPCountry: JP" -H "CF-Connecting-IP: 203.0.113.1" http://localhost/

echo -e "\n5. Testing US access via Cloudflare:"

curl -H "CF-IPCountry: US" -H "CF-Connecting-IP: 203.0.113.1" http://localhost/

# GeoIPデータベースのテスト

echo -e "\n6. Testing GeoIP database:"

geoiplookup 8.8.8.8

geoiplookup 126.1.1.1

echo -e "\nSetup and testing completed."

echo "Note: In production environment, please verify the following:"

echo "1. Cloudflare IP Geolocation is enabled"

echo "2. Security Level is properly configured"

echo "3. Challenge Passage is properly set"

echo "4. Test with actual Cloudflare traffic"