From dd7768c8564c1bae877f3db8f126c70414c88b8b Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Wed, 18 Nov 2020 11:37:42 +0100
Subject: [PATCH] whitelist/blacklist country at LUA level to avoid SEO issues

---
 confs/site/geoip-server.conf | 3 ---
 confs/site/main-lua.conf     | 6 ++++++
 confs/site/server.conf       | 1 -
 entrypoint/site-config.sh    | 4 ++--
 4 files changed, 8 insertions(+), 6 deletions(-)
 delete mode 100644 confs/site/geoip-server.conf

diff --git a/confs/site/geoip-server.conf b/confs/site/geoip-server.conf
deleted file mode 100644
index 9a03087..0000000
--- a/confs/site/geoip-server.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-if ($allowed_country = no) {
-	return 444;
-}
diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf
index 78bd5ec..8f05181 100644
--- a/confs/site/main-lua.conf
+++ b/confs/site/main-lua.conf
@@ -5,6 +5,7 @@ access_by_lua_block {
 
 local use_whitelist_ip		= %USE_WHITELIST_IP%
 local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
+local use_country		= %USE_COUNTRY%
 local use_blacklist_ip		= %USE_BLACKLIST_IP%
 local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
 local use_dnsbl			= %USE_DNSBL%
@@ -34,6 +35,11 @@ if use_whitelist_reverse and whitelist.reverse_cached_ok() then
 	ngx.exit(ngx.OK)
 end
 
+-- check if country is allowed
+if use_country and ngx.var.allowed_country == "no" then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
 -- check if already in blacklist cache
 if use_blacklist_ip and blacklist.ip_cached_ko() then
 	ngx.exit(ngx.HTTP_FORBIDDEN)
diff --git a/confs/site/server.conf b/confs/site/server.conf
index cd1bad9..cc6556a 100644
--- a/confs/site/server.conf
+++ b/confs/site/server.conf
@@ -23,7 +23,6 @@ server {
 	%CONTENT_SECURITY_POLICY%
 	%REFERRER_POLICY%
 	%FEATURE_POLICY%
-	%USE_COUNTRY%
 	%BLOCK_USER_AGENT%
 	%BLOCK_TOR_EXIT_NODE%
 	%BLOCK_PROXIES%
diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh
index ef264a0..39bdec9 100644
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@@ -239,9 +239,9 @@ replace_in_file "${NGINX_PREFIX}server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHO
 
 # country ban
 if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
-	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_COUNTRY%" "include ${NGINX_PREFIX}geoip-server.conf;"
+	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_COUNTRY%" "true"
 else
-	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_COUNTRY%" ""
+	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_COUNTRY%" "false"
 fi
 
 # block bad UA