Can't get MaxMind to work for geoblocking

Hi, I’ve been following the instructions at linuxserver/docker-mods at swag-maxmind (github.com) so that I can block specific countries from accessing my SWAG instance. Since it didn’t work the first time, I undid everything, confirmed that SWAG was working with no errors then followed the instructions again, to the letter - it’s still not working so I guess I’ve still done something wrong!

The relevant part of the log file is this:

25/01/2023 14:41:23
Applying the maxmind mod...
25/01/2023 14:41:23
sed: /etc/libmaxminddb.cron.conf: No such file or directory
25/01/2023 14:41:23
Applied the maxmind mod
25/01/2023 14:41:23
[custom-init] No custom files found, skipping...
25/01/2023 14:41:23
[ls.io-init] done.
25/01/2023 14:41:23
nginx: [emerg] unknown "geoip2_data_country_iso_code" variable
25/01/2023 14:41:23
2023-01-25 14:41:23,835 fail2ban.configreader   [403]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
25/01/2023 14:41:24
Server ready
25/01/2023 14:41:24
nginx: [emerg] unknown "geoip2_data_country_iso_code" variable
25/01/2023 14:41:25
nginx: [emerg] unknown "geoip2_data_country_iso_code" variable

Docker-compose:

version: '3.2'


services:
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - URL=myurl.com
      - SUBDOMAINS=subdomain1, subdomain2
      - VALIDATION=http
      - DOCKER_MODS=linuxserver/mods:swag-maxmind|linuxserver/mods:swag-dashboard
      - MAXMINDDB_LICENSE_KEY=MyLicenseKey
    volumes:
      - ${LOC_CONFIG}/swag:/config

    ports:
      - 443:443 # SSL access
      - 80:80 # http auth
      - 81:81 # SWAG dashboard
    networks:
      - authelia
    restart: ${RESTART_POLICY}

networks:
  authelia:
    external: true

Relevant part of nginx.conf:

http {

    # Include maxmind geolocation data
    include /config/nginx/maxmind.conf;

Maxmind.conf:

map $geoip2_data_country_iso_code $geo-whitelist {
    default no;
    UK yes;
}

map $geoip2_data_country_iso_code $geo-blacklist {
    default yes;
    US no;
}

Relevant part of default.conf:

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # following 2 lines inserted to enable geo blocking
    # using SWAG Maxmind geo blocking plugin
    if ($lan-ip = yes) { set $geo-whitelist yes; }
    if ($geo-whitelist = no) { return 404; }

}

Any help to figure out what I’m doing wrong would be much appreciated!

I had the same issue, with the same directions. Guessing newer swag builds have a default maxmind.conf file. When creating one from scratch the section to assign the variable for the country_iso_code needs to be added. Same with adding a local ip if desired. Here is what my working file looks like.

geoip2 /config/geoip2db/GeoLite2-City.mmdb {
    auto_reload 1w;
       $geoip2_data_country_iso_code country iso_code;
}

map $geoip2_data_country_iso_code $geo-whitelist {
    default no;
    US yes;
}

map $geoip2_data_country_iso_code $geo-blacklist {
    default yes;
    US no;
}

# ALLOW LOCAL ACCESS
geo $lan-ip {
    default no;
    192.168.0.0/24 yes; #Replace with your LAN subnet
    127.0.0.1 yes;
	}