GeoIP Ranges
The GeoIP integration provides provides a list of IP address ranges and their country of origin. This data provider could allow an administrator to restrict, or allow access based on a users' known GeoIP fingerprint.
[
{
"$index": {"cidr": "1.0.0.0/24"},
"id": "1.0.0.0/24",
"country": "US",
"state": "",
"city": "",
"zip": "",
"timezone": ""
},
{
"$index": {"cidr": "1.0.1.0/24"},
"id": "1.0.1.0/24",
"country": "CN",
"state": "",
"city": "",
"zip": "",
"timezone": ""
}
]
The external data sources we provide are meant to be examples and inspiration for users to create their own data sources. We won't maintain these integrations in perpetuity, and changes to the APIs they interact with may break them in the future.
The datasource project is open-source, and if the community wishes to provide contributions to keep it working in the future, we will shepherd those updates.
Install
- Docker Compose
- Local Binary
These instructions assume a local testing environment using Docker Compose. Adjust as needed for your deployment environment.
-
Download the IP2Location CSV GeoIP database from ip2location.com.
-
Add the datasource docker image to Docker Compose:
services:
ip2location:
image: docker.cloudsmith.io/pomerium/datasource/datasource:main
container_name: ip2location
command:
- ip2location
- /var/ip2location.csv.zip
ports:
- 8080:8080
volumes:
- ${PWD}/IP2LOCATION-LITE-DB1.CSV.ZIP:/var/ip2location.csv.zip
- Bring up the new container.
-
Download the latest release of the Pomerium datasource project and extract it.
-
Change directory and run the binary:
cd pomerium-datasource-*
./pomerium-datasource ip2location ../IP2LOCATION-LITE-DB1.CSV.ZIP
The output should resemble:
<nil> INF starting ip2location http server address=:8080 file=../IP2LOCATION-LITE-DB1.CSV.ZIP
Configure External Data Source
Create an external data source:
-
In the Pomerium Enterprise Console, navigate to CONFIGURE → External Data and click + ADD EXTERNAL DATA SOURCE.
-
Fill out the following fields:
Field | Content | Notes |
---|---|---|
URL | http://localhost:8080 | If you configured the service in Docker Compose with a set container name, you can use that instead. |
Record type | pomerium.io/GeoIP | |
Foreign Key | request.ip | |
Polling Min Delay | 30m | Minimum poll interval |
Polling Max Delay | 4h | Maximum poll interval |
- Click SAVE EXTERNAL DATA SOURCE.
Configure Pomerium Enterprise Console
An example policy to restrict access to IP addresses within the United States would look something like this:
- Builder
- Editor
allow:
and:
- record:
field: country
is: US
type: pomerium.io/GeoIP
This policy looks at the country
, and allows access only from IP addresses purportedly in the US.
Reference
- The ip2location datasource expects one argument when running the binary, the path to the GeoIP database.
- It has an optional flag
--address
, to change the listening port from the default:8080
.