Jose Jimenez
Jose Jimenez
Software Architect & Developer
> >

Configuring MaxMind GeoIP with AWS Load Balancers: A Technical Guide

Published in Apache, AWS, MaxMind on Nov 22, 2024

IP geolocation is a crucial tool for web applications, enabling everything from content personalization to security controls. However, when running web servers behind AWS Load Balancers, implementing IP geolocation requires special consideration. This guide explores how to correctly configure MaxMind's GeoIP with Apache when operating behind AWS Load Balancers.

The Challenge

When using AWS Load Balancers (ALB/ELB), the web server sees the load balancer's IP address instead of the actual client IP. This poses a problem for GeoIP services like MaxMind, which rely on accurate IP information for geolocation. The solution involves properly configuring Apache to use the X-Forwarded-For header, which contains the original client IP address.

Implementation Steps

1. Apache Configuration

The key to solving this issue lies in using Apache's mod_remoteip module. This module allows Apache to extract the real client IP from the X-Forwarded-For header provided by AWS Load Balancers.

First, enable the module:

1sudo a2enmod remoteip

Then, add the following configuration to your Apache setup:

1LoadModule remoteip_module modules/mod_remoteip.so
2 
3RemoteIPHeader X-Forwarded-For
4RemoteIPInternalProxy 10.0.0.0/8
5RemoteIPInternalProxy 172.16.0.0/12
6RemoteIPInternalProxy 192.168.0.0/16

2. MaxMind Configuration

With mod_remoteip handling the client IP correctly, configure MaxMind:

1<IfModule mod_maxminddb.c>
2    MaxMindDBEnable On
3    MaxMindDBFile COUNTRY_DB /usr/share/GeoIP/GeoLite2-Country.mmdb
4    MaxMindDBEnv COUNTRY_CODE COUNTRY_DB/country/iso_code
5    MaxMindDBEnv GEOIP_COUNTRY_CODE COUNTRY_DB/country/iso_code
6    MaxMindDBFile CITY_DB /usr/share/GeoIP/GeoLite2-City.mmdb
7    MaxMindDBEnv REGION_CODE CITY_DB/subdivisions/0/iso_code
8</IfModule>

Security Considerations

Trust Boundaries

The RemoteIPInternalProxy directives tell Apache which IP ranges to trust for X-Forwarded-For headers. It's crucial to only include IP ranges corresponding to your AWS infrastructure to prevent IP spoofing attacks.

AWS VPC Configuration

Ensure your VPC and security group configurations align with the trusted IP ranges. Regular audits of these configurations help maintain security while allowing proper IP geolocation.

Testing and Verification

A simple PHP script can verify the configuration:

1<?php
2echo "Client IP: " . $_SERVER['REMOTE_ADDR'] . "\n";
3echo "X-Forwarded-For: " . $_SERVER['HTTP_X_FORWARDED_FOR'] . "\n";
4echo "Country Code: " . $_SERVER['COUNTRY_CODE'] . "\n";

Common Pitfalls and Solutions

  1. Missing Geolocation Data

    • Verify mod_remoteip is enabled and properly configured
    • Ensure MaxMind database files are present and readable
    • Check Apache error logs for configuration issues

  2. Incorrect Location Data

    • Verify the RemoteIPInternalProxy directives match your AWS infrastructure
    • Ensure no intermediate proxies are modifying the X-Forwarded-For header

Best Practices

  1. Regular Updates

    • Keep MaxMind databases current for accurate geolocation
    • Regularly review and update trusted IP ranges

  2. Monitoring

    • Log and monitor geolocation failures
    • Set up alerts for unexpected patterns in IP resolution

  3. Testing

    • Implement thorough testing in staging environments
    • Use various client locations to verify accuracy

Conclusion

Properly configuring MaxMind GeoIP behind AWS Load Balancers requires careful attention to both Apache configuration and security considerations. By following this guide, organizations can ensure accurate geolocation while maintaining security and performance.

This solution allows web applications to leverage geolocation capabilities effectively, even in cloud-based architectures, enabling features like location-based content delivery, fraud prevention, and regulatory compliance.