by allowing country plugin always returns forbidden/403

[pcmediapear]

hello

please can someone confirm that allowing country by plugin is working? by my tests I was not able to get it working and result is always forbidden/403

traefik 3.3.6 plugin version v0.3.3

traefik configuration:

experimental:
  plugins:
    geoblock:
      moduleName: "github.com/PascalMinder/geoblock"
      version: "v0.3.3"

traefik labels:

      - traefik.http.routers.nginx-https.entrypoints=https_def
      - traefik.http.routers.nginx-https.rule=(HostRegexp(`.+`))
      - traefik.http.routers.nginx-https.service=nginx-https
      - traefik.http.services.nginx-https.loadbalancer.server.scheme=http
      - traefik.http.services.nginx-https.loadbalancer.server.port=80
      - traefik.http.routers.nginx-https.middlewares=nginx-geoblock_allowlist
      - traefik.http.routers.nginx-https.tls=true
      - traefik.http.routers.nginx-https.tls.certresolver=mycertresolver

      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.silentStartUp=false
      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.allowLocalRequests=true
      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.logLocalRequests=false
      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.logAllowedRequests=false
      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.logApiRequests=false
      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.api="https://get.geojs.io/v1/ip/country/{ip}"
      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.apiTimeoutMs=500
      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.cacheSize=25
      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.forceMonthlyUpdate=true
      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.allowUnknownCountries=false
      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.unknownCountryApiResponse="nil"
      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.countries=SK

plugin it self is loaded and working because if allowedIPAddresses is set access is allowed:

      - traefik.http.middlewares.nginx-geoblock_allowlist.plugin.geoblock.allowedIPAddresses=46.34.xxx.xxx

traefik container is able to connect to API:

same results by:

• testing with country DE or allowing all countries
• enabling option ignoreAPITimeout or increasing apiTimeoutMs to 5000
• configuring dynamic-configuration.yml instead of traefik labels

many thanks for any info

[PascalMinder]

Can you append the log?

[pcmediapear]

Can you append the log?

traefik.log (switched to trace):

...
2025-05-05T19:29:57Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:240 > Loading plugins... plugins=["geoblock"]
2025-05-05T19:29:57Z DBG github.com/traefik/traefik/v3/pkg/plugins/plugins.go:30 > Loading of plugin: geoblock: github.com/PascalMinder/[email protected]
2025-05-05T19:29:57Z DBG github.com/hashicorp/[email protected]/client.go:661 > Performing request method=GET url=https://plugins.traefik.io/public/download/github.com/PascalMinder/geoblock/v0.3.3
2025-05-05T19:29:57Z DBG github.com/hashicorp/[email protected]/client.go:661 > Performing request method=GET url=https://plugins.traefik.io/public/validate/github.com/PascalMinder/geoblock/v0.3.3
2025-05-05T19:29:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:250 > Plugins loaded. plugins=["geoblock"]
...
2025-05-05T19:32:06Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:112 > Provider event received {Status:start ID:7c073ac12d4d83280b3ad477c4d37e17f7c0afc6d88eee89d3d051fd8470f76b From:joomla:latest Type:container Action:start Actor:{ID:7c073ac12d4d83280b3ad477c4d37e17f7c0afc6d88eee89d3d051fd8470f76b Attributes:map[com.docker.compose.config-hash:bee43afd4dce93a02a42852522454f5c5d0f6c167e341ea5acb25b4a99467b77 com.docker.compose.container-number:1 com.docker.compose.depends_on:joomla-mysql:service_started:false com.docker.compose.image:sha256:71e7da5120f79c34399d628326e6939420f729583ddde0e66509b3266c421290 com.docker.compose.oneoff:False com.docker.compose.project:joomla com.docker.compose.project.config_files:/PATH/TO/docker-compose.yml,/PATH_TO/docker-compose.resource.yml com.docker.compose.project.working_dir:/PATH/TO/joomla com.docker.compose.service:joomla com.docker.compose.version:2.29.1 image:joomla:latest maintainer:Llewellyn van der Merwe <[email protected]> (@Llewellynvdm), Harald Leithner <[email protected]> (@HLeithner) name:joomla traefik.docker.network:3_joomla_traefik traefik.enable:true traefik.http.middlewares.joomla-geoblock_allowlist.plugin.geoblock.allowLocalRequests:true traefik.http.middlewares.joomla-geoblock_allowlist.plugin.geoblock.allowUnknownCountries:false traefik.http.middlewares.joomla-geoblock_allowlist.plugin.geoblock.api:"https://get.geojs.io/v1/ip/country/{ip}" traefik.http.middlewares.joomla-geoblock_allowlist.plugin.geoblock.apiTimeoutMs:500 traefik.http.middlewares.joomla-geoblock_allowlist.plugin.geoblock.cacheSize:25 traefik.http.middlewares.joomla-geoblock_allowlist.plugin.geoblock.countries:SK traefik.http.middlewares.joomla-geoblock_allowlist.plugin.geoblock.forceMonthlyUpdate:true traefik.http.middlewares.joomla-geoblock_allowlist.plugin.geoblock.logAllowedRequests:false traefik.http.middlewares.joomla-geoblock_allowlist.plugin.geoblock.logApiRequests:false traefik.http.middlewares.joomla-geoblock_allowlist.plugin.geoblock.logLocalRequests:false traefik.http.middlewares.joomla-geoblock_allowlist.plugin.geoblock.silentStartUp:false traefik.http.middlewares.joomla-geoblock_allowlist.plugin.geoblock.unknownCountryApiResponse:"nil" traefik.http.middlewares.joomla-http_to_https.redirectscheme.permanent:true traefik.http.middlewares.joomla-http_to_https.redirectscheme.scheme:https traefik.http.middlewares.joomla-iprange_allowlist.ipallowlist.sourcerange:LOCAL_NETWORK traefik.http.routers.joomla-http_def.entrypoints:http_def traefik.http.routers.joomla-http_def.middlewares:joomla-geoblock_allowlist traefik.http.routers.joomla-http_def.rule:(Host(`FQDN1`) || Host(`FQDN2`)) traefik.http.routers.joomla-http_def.service:joomla-https_def traefik.http.routers.joomla-https_def.entrypoints:https_def traefik.http.routers.joomla-https_def.middlewares:joomla-geoblock_allowlist traefik.http.routers.joomla-https_def.rule:(Host(`FQDN1`) || Host(`FQDN2`)) traefik.http.routers.joomla-https_def.service:joomla-https_def traefik.http.routers.joomla-https_def.tls:true traefik.http.routers.joomla-https_def.tls.certresolver:RESOLVER traefik.http.services.joomla-https_def.loadbalancer.server.port:80 traefik.http.services.joomla-https_def.loadbalancer.server.scheme:http]} Scope:local Time:1746473526 TimeNano:1746473526292968417} providerName=docker
...
2025-05-05T19:33:26Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:463 > IP 104.28.130.136 is not in trusted IPs list, ignoring ProxyProtocol Headers and bypass connection entryPointName=https_def
2025-05-05T19:33:26Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:463 > IP 104.28.130.136 is not in trusted IPs list, ignoring ProxyProtocol Headers and bypass connection entryPointName=http_def
...

access.log from local network:

...
192.168.xxx.xxx - - [05/May/2025:19:32:41 +0000] "GET / HTTP/2.0" 200 4129 "-" "-" 51 "joomla-https_def@docker" "http://172.29.28.3:80" 1200ms
...

access.log from SK public IP:

...
104.28.130.136 - - [05/May/2025:19:33:26 +0000] "GET / HTTP/2.0" 403 0 "-" "-" 69 "joomla-https_def@docker" "-" 0ms
...

[bobsdacool]

EDIT!!!!!!

my public IP had changed, and my domain wasn't pointing to it. Problem solved!

I am having a similar issue, It was working fine until about midnight last night, (I had a power outage at 2:30 am, so thought it might be due to an update on reboot, but unfortunately not).

I am on version 0.3.2, and version 3.4.0 for traefik. There is nothing in particular to add in addition to pcmediapear.

Here is my traefik yaml

experimental:
    plugins:
      geoblock:
        moduleName: "github.com/PascalMinder/geoblock"
        version: "v0.3.2"

Here is my config

my-geoblock:
  plugin:
    geoblock:
      allowLocalRequests: "true"
      allowUnknownCountries: "false"
      api: https://get.geojs.io/v1/ip/country/{ip}
      apiTimeoutMs: "150"
      cacheSize: "15"
      countries:
        - ##
      forceMonthlyUpdate: "false"
      logAllowedRequests: "true"
      logApiRequests: "true"
      logLocalRequests: "true"
      silentStartUp: "false"
      unknownCountryApiResponse: "nil"

Trace logs

[13/Mar/2025:00:07:49 +0000] "GET / HTTP/2.0" 403 9 "-" "-" 29 "authentik-secure@docker" "-" 1ms

Some additional notes.

My traefik instance was updated on the 6th, but was still working then.

traefik/geoblocker is not providing live updates to the logs on portainer, to view the logs requires a restart, perhaps something is hanging?

Changing to version 0.3.3 does not fix the issue, i.e. fresh download by traefik does not resolve the issue.

curl of get.geojs.io still returns the correct ip address.

enabling blacklistmode still returns the same issue.

on restart of the container, the startup logs show an immediate forbidden error.

[schumi2004]

Same issue for me, allowed country gives a 403.

Will upload config,log and settings later

[Maddjik]

Was having same issue today using traefik v3.5 and geoblock v0.3.3.

SOLUTION was to remove the following line in my dynamic traefik config file:

apiTimeoutMs: 150

It seems like it has been deprecated or something. Cheers!

[PascalMinder]

Was having same issue today using traefik v3.5 and geoblock v0.3.3.

SOLUTION was to remove the following line in my dynamic traefik config file:

apiTimeoutMs: 150

It seems like it has been deprecated or something. Cheers!

Hi @Maddjik

the apiTimeoutMs parameter was not removed. Default is 750ms, so 150ms might be a bit low.

[jlaska]

@PascalMinder @Maddjik thanks for both of your comments, that helped address my misconfiguration issue

[Maddjik]

Thanks for your input I will try to use a higher value. I was using 150ms forever and it just recently started to stop working 🤔

On Wed, Aug 27, 2025, 1:59 p.m. James Laska @.***> wrote:

jlaska left a comment (PascalMinder/geoblock#85) https://github.com/PascalMinder/geoblock/issues/85#issuecomment-3229196622

@PascalMinder https://github.com/PascalMinder @Maddjik https://github.com/Maddjik thanks for both of your comments, that helped address my misconfiguration issue

— Reply to this email directly, view it on GitHub https://github.com/PascalMinder/geoblock/issues/85#issuecomment-3229196622, or unsubscribe https://github.com/notifications/unsubscribe-auth/BEA34FUDXHQXM6OZYKE2ANL3PXWZDAVCNFSM6AAAAAB4MIS5QGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTEMRZGE4TMNRSGI . You are receiving this because you were mentioned.Message ID: @.***>

[PascalMinder]

@Maddjik did you try confirming the request time with e.g. curl or so? Just to check that the service works?

[Maddjik]

No I didn't try this. I went back to 750ms like you said and it works fine. I don't know why I had 150ms I dont remember changing it.

On Fri, Aug 29, 2025, 6:29 a.m. Pascal Minder @.***> wrote:

PascalMinder left a comment (PascalMinder/geoblock#85) https://github.com/PascalMinder/geoblock/issues/85#issuecomment-3236557048

@Maddjik https://github.com/Maddjik did you try confirming the request time with e.g. curl or so? Just to check that the service works?

— Reply to this email directly, view it on GitHub https://github.com/PascalMinder/geoblock/issues/85#issuecomment-3236557048, or unsubscribe https://github.com/notifications/unsubscribe-auth/BEA34FRNPFGW6DBASXBSNVT3QATQLAVCNFSM6AAAAAB4MIS5QGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTEMZWGU2TOMBUHA . You are receiving this because you were mentioned.Message ID: @.***>

[Joly0]

Hey guys, i am haivng the same issue:

traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 use custom HTTP header field for country lookup: false
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 API uri: https://get.geojs.io/v1/ip/country/{ip}
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 API timeout: 750
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 ignore API timeout: false
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 cache size: 25
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 force monthly update: true
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 allow unknown countries: false
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 unknown country api response: nil
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 blacklist mode: false
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 add country header: false
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 countries: [DE]
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 Denied request status code: 403
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 Log file path: 

but i already tried setting the timeout to 750, but that didnt change anything. Any ideas?

[Akenjeru]

Hey guys, i am haivng the same issue:

traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 use custom HTTP header field for country lookup: false
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 API uri: https://get.geojs.io/v1/ip/country/{ip}
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 API timeout: 750
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 ignore API timeout: false
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 cache size: 25
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 force monthly update: true
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 allow unknown countries: false
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 unknown country api response: nil
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 blacklist mode: false
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 add country header: false
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 countries: [DE]
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 Denied request status code: 403
traefik  | INFO: GeoBlock: 2025/09/13 15:44:06 Log file path: 

but i already tried setting the timeout to 750, but that didnt change anything. Any ideas?

I have the same problem, an allowed country is blocked.