[BUG] dbip-mod isn't blocking connections from blacklisted countries

[sameleff]

Is there an existing issue for this?

• I have searched the existing issues

Name of mod

dbip-mod

Name of base container

linuxserver/docker-swag

Current Behavior

Connection attempts from blacklisted countries are not blocked. access.log shows HTTP 200 status codes (vs. the 404 as expected). The swag-dash mod is also installed and shows hits & visitors from blacklisted countries.

Expected Behavior

Connection attempts from blacklisted countries are blocked via an HTTP 404 code.

Steps To Reproduce

1. include /config/nginx/dbip.conf; added to the http section of the nginx.conf file
2. /config/nginx/dbip.conf file edited to include the following

map $geoip2_data_country_iso_code $geo-whitelist {
    default no;
    US yes;  #United States
}

map $geoip2_data_country_iso_code $geo-blacklist {
    default yes;
    MY yes;
    IL yes;
    US no;  #United States

4. /config/nginx/proxy.conf file edited to include the following. This file is included in every proxy-conf location block via an include /config/nginx/proxy.conf; statement.

if ($lan-ip = yes) { set $geo-whitelist yes; }
if ($geo-whitelist = no) { return 404; }
if ($lan-ip = yes) { set $geo-blacklist yes; }
if ($geo-blacklist = no) { return 404; }

6. Swag container stopped, log files cleared, then it recreated with docker compose up swag --force-recreate -d
7. dbip-mod successfully installed
8. /config/geoip2db/dbip-country-lite.mmdb successfully created
9. Watch logs, observe connection attempts from blacklisted countries

Environment

- OS: Unraid v.6.12.8
- How docker service was installed: via docker-compose, see below

CPU architecture

x86-64

Docker creation

docker compose file:

services:
  swag:
    image: lscr.io/linuxserver/swag:latest
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=<redacted>
      - URL=<redacted>
      - VALIDATION=duckdns
      - SUBDOMAINS=wildcard
      # - CERTPROVIDER= #optional
      # - DNSPLUGIN=duckdns  #optional
      - PROPAGATION=60 #optional
      - EMAIL=<redacted>
      # - ONLY_SUBDOMAINS=false #optional
      # - EXTRA_DOMAINS= #optional
      - STAGING=false #optional
      - DUCKDNSTOKEN=<redacted>
      - SWAG_AUTORELOAD=true
      - DOCKER_MODS=linuxserver/mods:swag-dashboard|linuxserver/mods:swag-dbip
    volumes:
      - /mnt/user/appdata/swag:/config:rw
    ports:
      - 443:443
      - 80:80 #optional
      - 81:81 #swag-dashboard dockermod
    restart: unless-stopped
    networks:
      - swagnet
networks:
  swagnet:
    name: swagnet
    enable_ipv6: false

Container logs

***Container Logs***
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────
Linuxserver.io version: 5.4.0-ls448
Build-date: 2026-03-28T04:59:31+00:00
───────────────────────────────────────
    
using keys found in /config/keys
**** The following active confs have different version dates than the samples that are shipped. ****
**** This may be due to user customization or an update to the samples. ****
**** You should compare the following files to the samples in the same folder and update them. ****
**** Use the link at the top of the file to view the changelog. ****
┌────────────┬────────────┬────────────────────────────────────────────────────────────────────────┐
│  old date  │  new date  │ path                                                                   │
├────────────┼────────────┼────────────────────────────────────────────────────────────────────────┤
│ 2023-04-13 │ 2025-05-31 │ /config/nginx/nginx.conf                                               │
│ 2023-04-27 │ 2025-03-25 │ /config/nginx/authentik-server.conf                                    │
│ 2023-04-27 │ 2025-03-25 │ /config/nginx/authelia-server.conf                                     │
│ 2023-04-27 │ 2025-03-25 │ /config/nginx/authelia-location.conf                                   │
│ 2024-08-22 │ 2025-07-18 │ /config/nginx/proxy-confs/jellyfin.subdomain.conf                      │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/kopia.subdomain.conf                         │
│ 2023-12-14 │ 2025-07-18 │ /config/nginx/proxy-confs/maintainerr.subdomain.conf                   │
│ 2023-11-12 │ 2025-07-18 │ /config/nginx/proxy-confs/vaultwarden.subdomain.conf                   │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/homepage.subdomain.conf                      │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/ntfy.subdomain.conf                          │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/bookstack.subdomain.conf                     │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/uptime-kuma.subdomain.conf                   │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/audiobookshelf.subdomain.conf                │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/sonarr.subdomain.conf                        │
│ 2023-09-13 │ 2025-07-18 │ /config/nginx/proxy-confs/prowlarr.subdomain.conf                      │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/radarr.subdomain.conf                        │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/tautulli.subdomain.conf                      │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/overseerr.subdomain.conf                     │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/sabnzbd.subdomain.conf                       │
│ 2023-06-24 │ 2025-07-18 │ /config/nginx/proxy-confs/nextcloud.subdomain.conf                     │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/filebot.subdomain.conf                       │
│ 2023-05-31 │ 2025-07-18 │ /config/nginx/proxy-confs/homeassistant.subdomain.conf                 │
│ 2023-08-13 │ 2025-07-18 │ /config/nginx/ssl.conf                                                 │
│ 2023-06-05 │ 2026-03-07 │ /config/nginx/site-confs/default.conf                                  │
└────────────┴────────────┴────────────────────────────────────────────────────────────────────────┘
Variables set:
PUID=1000
PGID=1000
TZ=`redacted`
URL=`redacted`
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=duckdns
CERTPROVIDER=
DNSPLUGIN=
EMAIL=`redacted`
STAGING=false

the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for `redacted` will be requested
E-mail address entered: `redacted`
dns validation via duckdns plugin is selected
Certificate exists; parameters unchanged; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
    The following nginx confs are using certificates from the obsolete location
    /etc/letsencrypt and should be updated to point to /config/etc/letsencrypt
        
    /config/nginx/proxy-confs/nextcloud.subdomain.conf
Applying the dbip mod...
**** Applying the SWAG dashboard mod... ****
Applied the dbip mod
**** goaccess already installed, skipping ****
**** libmaxminddb already installed, skipping ****
**** Applied the SWAG dashboard mod ****
[custom-init] No custom files found, skipping...
Auto-reload: Watching the following folders for changes to .conf files:
/config/nginx
[ls.io-init] done.
Server ready

***access.log***
35.252.22.250 - - [27/May/2026:20:38:45 -0400] "GET /backup/recovery.sql.bz2 HTTP/1.1" 200 1345 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/124.0 Safari/537.36"
35.252.22.250 - - [27/May/2026:20:38:46 -0400] "GET /backup/recovery.sql HTTP/1.1" 200 1345 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/124.0 Safari/537.36"
35.252.22.250 - - [27/May/2026:20:38:46 -0400] "GET /backup/src.zip HTTP/1.1" 200 1345 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/124.0 Safari/537.36"
35.252.22.250 - - [27/May/2026:20:38:47 -0400] "GET /backup/src.tar.gz HTTP/1.1" 200 1345 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/124.0 Safari/537.36"

`35.252.22.250` is from Israel (country code IL), which is blacklisted.

[sameleff]

Re-read the instructions from the readme, and realized that I had placed these commands to determine whether to block connections inside the proxy.conf file, which was included in the location block of each proxy-conf instead of into the server block as is required. Once I moved these commands to the ssl.conf which is included in every server block, everything began to work as expected.

if ($lan-ip = yes) { set $geo-whitelist yes; }
if ($geo-whitelist = no) { return 404; }
if ($lan-ip = yes) { set $geo-blacklist yes; }
if ($geo-blacklist = no) { return 404; }

Leaving this up for others, but this issue is closed.