Based on my readings and the help of other users (Redirecting traffic per country IPs), I’m making progress and starting to understand how to implement Country-Based Whitelisting using CSF integrated to existing Virtualmin/Webmin, and how this should be done.
However, as I begin testing on a cloned server, I have concerns regarding server traffic related to essential operations like updates, maintenance, statistics, etc.
Using CSF (ConfigServer Security & Firewall), I plan to allow traffic from only one country (based on country IP), but I need to ensure that maintenance operations will not be disrupted. Specifically, I need to verify that the following tasks can proceed without issues:
Virtualmin updates (Debian 12, PHP, etc.)
Let’s Encrypt renewal (I know port 80 should remain open)
Zabbix monitoring (Can whitelist my monitoring server IP on top of country restriction ?)
Matomo Stats (Can whitelist my monitoring server IP on top of country restriction ?)
Any other essential operations?
Can anyone advise on how to configure CSF properly while ensuring that maintenance and updates continue smoothly?
Thanks !
Bernard
I understand this might be slightly outside the typical scope of the Virtualmin forum, but I hope it’s still acceptable to ask here.
I recently had a client who self-hosts had issues with Lets Encrypt and country filtering as LE uses various servers across many countries in random order for validation – which we did not know until they could not get a LE cert issued to their server. They ended up buying a commercial cert
I expect this is also the case of many suppliers. and CDN type networks and Google etc.
I have always thought that any Country-based white/black listing is self-defeating - the internet is global - just work with/accept the fact. and spend your valuable time convincing your customers that they are incurring trouble/cost impracticable wishes
what about visitors (from your “whitelisted” country or not) to your VS that use a VPN service ?
Another problem is that the country ip range is not true anymore. I have on 2 servers an US ip range even if the servers are in Germany. The provider explain it with the shortage op ip 4 addresses make it possible to get ip from other continents.
Thank you for posting many arguments against Country-Based Whitelisting.
However, there are organisations and countries were regulations and common usage is to block all traffic from foreign countries.
I understand that this is going to be a ride and I will have to follow carefully what is going on and whitelist more than just one country’s IP. Based on experiences and the tools installed I had hope I could find somehow a list or more hints to allow specific traffic and ease the maintenance operations.
