Selfhosted

60024 readers

755 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam.
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
Submission headline should match the article title.
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

curbstickle@anarchist.nexus

curbstickle_lw@lemmy.world

Openwrt how to block countries but allow a specific path using BanIp (lemmy.world)

submitted 3 months ago* (last edited 3 months ago) by Hercules@lemmy.world to c/selfhosted@lemmy.world

6 comments fedilink hide all child comments

Hey,

Im using openwrt with banip to only allow certain countries to access my services. Im not familiair with banip and im having issues finding documentation about it so thats why i came here.

I need to allow a certain path to allow cert-manager to get me new certificates using http challanges. If im not mistaking i have to allow the path: .well-known/acme-challenge/*.

Is their an option to allow this from any country but block all other requests?

My current config is as following:

root@OpenWrt:~# uci show | grep ban
banip.global=banip
banip.global.ban_enabled='0'
banip.global.ban_debug='0'
banip.global.ban_autodetect='1'
banip.global.ban_allowlistonly='1'
banip.global.ban_fetchcmd='curl'
banip.global.ban_protov4='1'
banip.global.ban_ifv4='wan'
banip.global.ban_protov6='1'
banip.global.ban_ifv6='wan6'
banip.global.ban_dev='eth0'
banip.global.ban_fetchretry='5'
banip.global.ban_nicelimit='0'
banip.global.ban_filelimit='1024'
banip.global.ban_deduplicate='1'
banip.global.ban_nftpriority='-100'
banip.global.ban_icmplimit='25'
banip.global.ban_synlimit='10'
banip.global.ban_udplimit='100'
banip.global.ban_nftpolicy='memory'
banip.global.ban_nftretry='5'
banip.global.ban_blockpolicy='drop'
banip.global.ban_nftloglevel='warn'
banip.global.ban_logprerouting='0'
banip.global.ban_loginbound='1'
banip.global.ban_logoutbound='0'
banip.global.ban_loglimit='100'
banip.global.ban_autoallowlist='1'
banip.global.ban_autoallowuplink='subnet'
banip.global.ban_autoblocklist='1'
banip.global.ban_country='us'
banip.global.ban_logterm='Exit before auth from' 'luci: failed login' 'error: maximum authentication attempts exceeded' 'received a suspicious remote IP .*'
banip.global.ban_vlanallow='br-lan'
banip.global.ban_allowurl='https://www.ipdeny.com/ipblocks/data/aggregated/be-aggregated.zone' 'https://www.ipdeny.com/ipv6/ipaddresses/aggregated/be-aggregated.zone'
banip.global.ban_geoip='1'
banip.global.geoip_src='dbip'
banip.global.geoip_mode='allowlist'
banip.global.ban_feeds='country:US' 'country:US' 'geoip:US'
banip.global.ban_all='1'
banip.global.allow_country='US'
banip.global.ban_feedin='country'
banip.global.ban_feed='hagezi' 'tor' 'vpn'
wireless.radio0.band='2g'
wireless.radio1.band='5g'

Thanks for your time and have a great day!

top 6 comments

sorted by: hot top controversial new old

[–] Anafabula@discuss.tchncs.de 4 points 3 months ago (1 children)

The path is part of the http protocol. Most firewalls only parse the first couple layers (ethernet->ip->tcp/udp), not http as well, unless they do deep package inspection. Idk if openwrt/banip has functionality like that.

It might be easier (and more performant if the firewall has weak hardware) to just allow tcp port 80 and let your reverse proxy do the filtering for that, since it (usually) needs to parse the http anyways.

[–] Hercules@lemmy.world 1 points 3 months ago

path is part of the http protocol. Most firewalls only parse the first couple layers (ethernet->ip->tcp/udp), not http as well, unless they do deep package inspection. Idk if openwrt/banip has functionality

I don't think openwrt can do this. Im running k3s with nginx as ingress but the issue is it doesn't see the actual ip but rather the ip of the container so i can't use nginx to block countries.

[–] non_burglar@lemmy.world 2 points 3 months ago

This can't be achieved with banip only, it bans based on CIDR blocks at layer 3 (IP).

[–] eleijeep@piefed.social 1 points 3 months ago (1 children)

Can you use DNS challenges instead? That would just require that you can create a TXT record in your domain.

[–] Hercules@lemmy.world 1 points 3 months ago

That is what i currently have setup but cert-manager is giving me a headache and not working correctly so im looking into http instead since its easier to setup

[–] Decronym@lemmy.decronym.xyz 1 points 3 months ago

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
IP	Internet Protocol
nginx	Popular HTTP server

[Thread #174 for this comm, first seen 16th Mar 2026, 21:00] [FAQ] [Full list] [Contact] [Source code]