Block the traffic based on the regions

Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM).

Issue

Is it possible to block the request on the site based on the regions?

Environment

Liferay PaaS

Resolution

NOTE: The following resolution requires customization and should only be implemented at the discretion of your team. Liferay Support will not be able to assist with designing or implementing customizations.

It's possible to block traffic based on specific regions by using the 'X-Client-Region' header at the Web server level. Please refer to the code snippet below.

if ($http_x_client_region !~* "country code") {
    return 443;  # Or any other appropriate response code
}
This code checks if the value of the X-Client-Region header is not equal to "Country code", let say 'IN'.

If the condition is true, meaning the traffic is not from the India region and a 443 response code or any other preferred response code is returned, effectively blocking the request.

Add the above code in the 'liferay.conf' file, which is available at "webserver > configs > (select the environment name) > conf.d > liferay.conf" location.

location / {
    # auth_basic "Authentication Required";
    # auth_basic_user_file /var/www/html/.htpasswd;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $http_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_hide_header liferay-portal;

    proxy_pass http://upstream_server;
    proxy_http_version 1.1;
    proxy_intercept_errors on;

    if ($http_x_client_region !~* "IN") {
       return 444;
    }
}

Restart the services, it will block all requests except the India region.

Note: Perform the above activity in a lower environment first, if all works well, then only move to the production environment.

Additional Information

Below are some examples with different use cases:

1) To block the request for specific regions, such as (US|CA|IN).

if ($http_x_client_region ~* "(US|CA|IN)") {
   return 403;
}

- The above code only blocks requests from the US, CA, and TR regions.

2) Accept the request from specific regions, such as (US|CA|IN).

if ($http_x_client_region !~* "(US|CA|IN)") {
   return 403;
}

- The above code only accepts requests from the US, CA, and IN regions and blocks the rest region requests.

3) To block all region's requests except one region, such as IN.

if ($http_x_client_region !~* "IN") {
   return 403;
}

- The above code only accepts the India region's request and blocks requests from the rest of the regions.

4) Accept all requests except one region, such as IN.

if ($http_x_client_region ~* "IN") {
   return 403;
}

- The above code only blocks the India region's request and accepts requests from the rest of the regions.

Note:

Multiple Regions (e.g., IN and BR): If blocking multiple region requests, then need parentheses() with the pipe (|) to group multiple regions like: (IN|BR).
Single Region (e.g., IN): No need for parentheses when matching only one region.
To get the Country Code list, please refer to the unofficial documentations:
- - https://www.nationsonline.org/oneworld/country_code_list.htm
  - https://www.iso.org/obp/ui/#search/code/