New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GeoIP Blocking in PHP Code #2098

Open
danehrlich1 opened this Issue Jan 4, 2019 · 7 comments

Comments

Projects
None yet
3 participants
@danehrlich1
Copy link
Member

danehrlich1 commented Jan 4, 2019

Moved this issue from the Docker repo to here. Much better to do this at the app level if it is going to be done.

Maybe add this at some point, would be really cool but low priority.

Here is code I have that gets the MaxMindDB GeoIP2 database. Can be executed daily via cron to update or can just make a function in PHP instead of bash to do it. You read the MMDB file by using MaxMind's PHP GeoIP2 library.

wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.tar.gz \
  && tar -xvf GeoLite2-Country* && mkdir /usr/local/share/GeoIP \
  && mv GeoLite2-Country*/GeoLite2-Country.mmdb /usr/local/share/GeoIP 
@danehrlich1

This comment has been minimized.

Copy link
Member

danehrlich1 commented Jan 4, 2019

Oh this is super easy it seems. Just add a quick check in index.php and if they don't pass forward to a blank page using Header().

Would not use Exit() since that gives away a 403 code indicating something important is there...

@bradymiller

This comment has been minimized.

Copy link
Member

bradymiller commented Jan 6, 2019

hi @danehrlich1 ,

This looks very interesting. Couple quick questions to figure out route to do this (ie. break it down into several steps that a new developer on the project can follow):

  1. Would it make sense for OpenEMR's service manager to do the daily download? :
    https://www.open-emr.org/wiki/index.php/Background_Service_Manager

  2. Since openemr would be doing this, looks like would need to save in a openemr writable directory (would use something like site//documents/geoip/)?

  3. Is this the composer package? https://packagist.org/packages/geoip2/geoip2

-brady

@danehrlich1

This comment has been minimized.

Copy link
Member

danehrlich1 commented Jan 6, 2019

  1. Yes absolutely I didn't even know that was part of the app. The other option I was considering was a cron function but I would like to keep as much functionality in the app as possible so this is great.

  2. Yes. It's a special type of binary file so it would need to be in a writeables directory. They do have a CSV file you can parse but I believe that is much slower than the other special format they use.

  3. Am 95% sure that's the right package. It looks like it's the official one from MaxMind. You do have to make sure you get the library that just reads the MaxMind DB file, not the one that pings the API and gets a response from their service (that is the commercial version).

@bradymiller

This comment has been minimized.

Copy link
Member

bradymiller commented Jan 8, 2019

hi @danehrlich1,
Thanks for the info. So sounds like this project will involve following steps:

  1. An entry in the OpenEMR service manager that will handle the daily download into the site/<sitename>/documents/geoip/ directory:
    https://www.open-emr.org/wiki/index.php/Background_Service_Manager
    (btw, this script can also be run via cron, which makes it nice and versatile, and either way gets limited to how often you set it to run)

  2. Then incorporating the https://packagist.org/packages/geoip2/geoip2 package to do the check in the interface/globals.php script

  3. And when above complete, then can add in the needed settings (ie. turning it off/on along with other setting bells/whistles) in library/globals.inc.php

  4. A bonus project at the end here would be to upgrade the Background Service Manager to support times when a service can be run (for example, if do not want to run it during clinic hours etc.)

-brady

@sjpadgett

This comment has been minimized.

Copy link
Member

sjpadgett commented Jan 8, 2019

Concerns:
Shouldn't this be a firewall functionality?
How large is the database?
How long does it take to do lookup?
If you put in Globals that may mean looking at the Server Referrer every load.
In the end what do you really gain. Certainly not helpful for DOS attacks and maybe if you sent a redirect back you may get kicked out of vulnerability automated probe list, maybe.(Actually a trick I use in WordPress, shuts those attacks down in a heart beat. Redirect right back to the attack IP. I smile every time I think about it).
Really best to leave to firewall and i'm not trying to spoil fun, just concerned.
Brady, for your item 4 i've been thinking that we could setup a separate event driven server to handle all our background tasks including reminders and timer based functions. Maybe nodejs.

@danehrlich1

This comment has been minimized.

Copy link
Member

danehrlich1 commented Jan 8, 2019

@sjpadgett

This comment has been minimized.

Copy link
Member

sjpadgett commented Jan 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment