City-Based Access Control Using Geolocation in Apinizer

This document explains how to block or allow requests from specific cities using the geolocation feature on the Apinizer platform.

At the end of the study, we will use Kibana Map to visualize which cities these requests come from.

1-) Providing Geolocation Data

To provide this data you can use the services of MaxMind, IpGeolocation. These services allow you to download databases containing IP and city information.

In this step, we will download the free GeoLite2 City database from MaxMind and explain how to use it.

Apinizer usually uses the client IP address to obtain geolocation data. The incoming IP address is queried against a database to determine which city the request comes from.

After the registration process on the page is complete, we go to the red marked area below and download the zip file in the GeoLite2 City section and extract it and obtain our .mmdb extension file:

2-) Integration of Geolocation Database to Apinizer

Administration → System Settings → IP Geolocation Setting page, the file with .mmdb extension is added here and deployed.

3-) XFF Activation and Adding Allow/Block IP List Policy 

Using the X-Forwarded-For (XFF) header information through Apinizer, the real IP address of the client can be determined in requests.

With the Allow IP policy, requests from certain IP addresses or certain cities can be allowed. Using the Block IP policy, these requests can be blocked.

To be able to use XFF information, you can activate it in the Settings tab via the Proxy settings:

 Block requests from Istanbul by adding the Blocked IP List policy to this proxy:

Select Istanbul from the IP Geolocation field and save:

4-) Blocking Access and Conclusion

Access to the service was blocked with an IP address in Istanbul:

1. We explained how we blocked requests coming from Istanbul on the Apinizer platform.
2. We downloaded the GeoLite2 City database provided by MaxMind and integrated it into Apinizer.
3. By using the X-Forwarded-For (XFF) header, we identified the real IP addresses of clients and controlled requests coming from specific cities.
4. To block requests from Istanbul, we used the Block IP List policies, selected Istanbul, and successfully blocked access from this city.

Very important

See Kibana for a visualization of which cities the requests come from.