• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Block specific countries through Plesk

Nginx does not support logical "or". Your best bet is to let the first if-section follow by another for the other country code. But: Nginx has issues with "if" in general, so it could lead to crashes. If is Evil… when used in location context | NGINX
If I use the function multiple times, each time, for 1 country, like:

Code:
if ($geoip2_data_country_code = "COUNTRY 1") {
        return 403;
}

Code:
if ($geoip2_data_country_code = "COUNTRY 2") {
        return 403;
}

etc...

It's not a problem, right ?
 
I do not know. How could I predict what will happen on your system? What keeps you from testing it?
 
I do not know. How could I predict what will happen on your system? What keeps you from testing it?
@Peter Debik
when I asked you the question, I had already tested it and there was no problem.

I just wanted to make sure if the code structure was good since you told me that NGINX and IF can cause problems.

As for the test, I always do it. Then I ask questions just to check, that's how we learn.

Thank you anyway.
 
Well that "if" think in Nginx seems to be some weird stuff. According to their own documentation, when used in the "location" context the outcome is unpredictable, meaning that sometimes it will do something right, sometimes it will crash the whole server.
 
For the files I think the include is seen expanded, so you'd need to investigate further down in the included files. Regarding Nginx ModSecurity 3.0: This can be considered experimental. I am not sure if it indeed works with the rules. I think it should, but have not tested it.

Plesk is in the process or creating a general geo IP blocking feature, so maybe, if you want to save some time and it is not too urgent for you, it will be an option to just wait on that feature to be released. It is planned for 2023 and it is already being worked on.
Hi Peter, thanks for the info. Is there an further update on the ETA for this blocking?
My website chat is inundated with visitors from suspect countries.
 
The Plesk firewall uses the DB-IP "IP to Country Lite" database from DB-IP. You can user their website (db-ip.com) to do a lookup on the IP address used by your VPN to see if it matches the country in their database. If not, you might want to switch to the MaxMind IP database (either the free or paid version) as they offer a more reliable (up to date) IP database.
 
Thanks, although it successfully blocks me from logging in to my plesk panel as it identifies my IP as a blocked location! I have left the firewall and rules running for now and will see what happens.
 
@othmaqsa Answered in your other thread: Question - Plesk Firewall
Hello @Peter Debik ,

I know very well that the order of the rules in the firewall is important.

Just to confirm, can I apply this, for example ?
1- Deny connections on a specific port number.
2- Deny connections from specific IPs on a specific port number.
3- Allow connections on a specific port number.
4- Allow specific IPs to connect to specific ports.


Regarding this default rule 'System policy for incoming traffic' and this rule 'System policy for traffic forwarding', should be placed at the top in case the priority mentioned above is correct ?

Thanks.
 
If you're talking about the same port number, the above mentioned list would block or allow all before the specific cases are processed. For that case you'll need to switch positions of the specific and general entries. If your entries are meant for different ports, the order is o.k.
 
If you're talking about the same port number, the above mentioned list would block or allow all before the specific cases are processed. For that case you'll need to switch positions of the specific and general entries. If your entries are meant for different ports, the order is o.k.

You can now mark this thread as resolved.

Thank you @Peter Debik
 
Back
Top