GeoIP access control
For administrators who can configure login policy and inspect recent decisions. The feature requires outbound lookup access when a public IP is not resolved by an explicit exception.
Purpose
Apply a coarse country and IP policy at player login, verify the decision order with safe test data, and avoid treating GeoIP as identity or anti-cheat evidence.
Before you begin
- Choose a provider that matches the server's privacy and regional compliance policy:
IpWhoIsuses HTTPS without a token,IpApiis a limited HTTP option, andIpInfouses HTTPS with an account token. - Decide the behavior for unknown countries and private or local addresses before enabling strict blocking.
- Prepare a test public IP, a private test address, a temporary CIDR exception, and a dedicated test player. Use
203.0.113.10or198.51.100.0/24only as documentation examples, not as a claim about a real client. - Keep Bypass admins enabled until the policy has been validated and a recovery operator is available.
WARNING
Each uncached public player IP may be sent to the selected third-party provider. Document that data flow and choose the provider, cache duration, and logging policy accordingly.
Procedure
Settings
- Open GeoIP Access Control and leave the mode disabled while selecting the provider. Enter an
IpInfotoken only in the protected field; do not copy it into a screenshot or ticket. - Set request timeout, successful-cache TTL, and failure-cache TTL. Keep a short failure cache, such as five minutes, while testing provider reliability.
- Choose a policy mode: Disabled, Allow only listed countries, or Block listed countries. Enter ISO country codes in the matching list and choose Unknown country policy and Private/local IP policy explicitly.
- Add exact IP or CIDR values to the allow-list or block-list for approved test clients and recovery administrators. Explicit exceptions are evaluated before country rules.
- Set the kick message and decide whether to log allowed decisions. Enable allowed logging temporarily when validating a new policy, then reduce noise if it is not needed.
- Save, run Test lookup for a public test IP and a private address, then inspect the result provider, country, cache flag, and error state. Use Clear cache after changing provider or cache settings, or when a policy test requires a fresh provider result.
Cache behavior
- Lookup results are held in a process-local in-memory cache. A successful lookup uses
CacheTtlMinutes; a failed lookup usesFailureCacheTtlMinutes. - Restarting the backend or game process clears this cache. Clear cache removes current entries without a restart.
- Changing the provider or cache TTL settings invalidates the affected cache entries. Country/IP policy changes alter decision evaluation but may retain cached lookup metadata; use Clear cache when a fresh provider result is required.
Evaluation order
Login decisions follow this order:
- Disabled module or disabled mode allows the login.
- Admin bypass, when enabled, allows the login.
- Invalid IP is recorded as
Skipped. - Private or loopback IP follows
PrivateIpPolicy. - IP allow-list allows before lookup.
- IP block-list blocks before lookup.
- A remote GeoIP lookup runs for the remaining public IP.
- Lookup failure or a missing country follows
UnknownCountryPolicy. - The country allow or block mode decides the result.
Live verification
- Keep the mode disabled and use Test lookup for the public test IP and private address. This validates the provider lookup only; it does not exercise
PrivateIpPolicyor create a recent login decision. - Enable a harmless
AllowCountrieslist that includes the test operator's expected country, or aBlockCountrieslist that excludes it, and enable Log allowed decisions temporarily. Join with the dedicated test player and confirm an allowed decision appears in Recent decisions. - Add the test IP to the block-list and confirm the player is kicked with the configured message. Remove the entry, clear cache, and confirm the player can rejoin.
- Simulate a provider failure only in a controlled window, then confirm the configured unknown-country policy is applied to a real login. Restore the provider and policy after the test.

The empty table shows the recent-decision view without test IPs, players, or policy results.
Verify the result
- The status section shows the selected provider, cache count, last lookup, and last block without a stale error.
- Recent decisions contain the expected
Allowed,Blocked,LookupFailed, orSkippedresult and reason. - An explicit allow-list entry wins before country policy, and an explicit block-list entry blocks before a remote request.
- Clearing cache changes the next lookup behavior after provider or cache TTL changes, and removing a temporary block restores login; country/IP policy changes re-evaluate the available lookup result.
- Validate
PrivateIpPolicywith a real private/loopback login attempt and its recent decision; a Test lookup result alone is not evidence for that policy.
Limits and safety notes
DANGER
Strict blocking can reject legitimate players when a provider is unavailable, a carrier uses an unexpected country, or an address is shared. Start with unknown-country Allow, test the real login event, and keep a recovery exception.
- GeoIP is approximate access control. It is not an identity proof, VPN detector, or anti-cheat system. Use audit, player tracking, and server evidence for an investigation.
IpApiuses HTTP and provider limits. Do not use it as a high-trust path on a hostile network.