Geo-blocking a live stream means rejecting viewer connections based on the country their IP address resolves to, enforced at either the NGINX/RTMP layer or inside your streaming engine before a viewer ever gets a manifest or media segment. On a VPS you control, the fastest reliable path is NGINX with the GeoIP2 module in front of your RTMP/HLS origin, or your streaming engine’s built-in geo-lock (Wowza’s ModuleGeoIP, Ant Media’s IP filtering). It adds sub-millisecond lookup overhead and works for both live ingest and playback — but it is not unbeatable, and you should know its limits before you rely on it for licensing compliance.
Key Takeaways
- Geo-blocking on a VPS is typically done with NGINX’s
ngx_http_geoip2_module(HLS/DASH over HTTP) orngx_stream_geoip_module(RTMP over TCP), both reading a free MaxMind GeoLite2 or paid GeoIP2 database. - Wowza Streaming Engine has a built-in GeoIP AddOn (
ModuleGeoIP) that blocks RTMP, HTTP, and RTSP connections by ISO country code without needing a reverse proxy. - Country-level accuracy from MaxMind’s databases is roughly 99.8%, but mobile carrier NAT ranges and VPN/proxy traffic can still slip through — geo-blocking is a compliance control, not a hard security boundary.
- Applying geo-blocking at the edge (NGINX in front of your origin) is more efficient than inside the streaming engine, since blocked requests never reach your transcoding or origin processes.
- Pair geo-blocking with token authentication if you’re protecting paywalled or licensed content — IP country alone won’t stop a valid token being shared outside the allowed region.
What Is Geo-Blocking, and Why Do Streamers Use It?
Geo-blocking restricts who can connect to your live stream based on the country associated with their IP address. It’s the mechanism behind sports broadcasts that are blacked out in the home market, church services that are licensed to stream only within a country’s borders for copyrighted worship music, and IPTV panels that are contractually restricted to a specific region.
We run this on our own managed Wowza and NGINX-RTMP VPS instances for customers in exactly these three categories. The most common driver isn’t security — it’s contractual. A sports rights holder, a music licensing body (PRS, ASCAP, IPRS in India), or a content distributor specifies which countries a stream is allowed to reach, and geo-blocking is the accepted baseline mechanism for demonstrating compliance.
It’s worth being direct about what it isn’t: geo-blocking is not encryption, and it’s not DRM. If your real requirement is preventing stream ripping or password sharing, pair it with token authentication — geo-blocking alone answers “where is this connection coming from,” nothing more.
How Does Geo-Blocking Actually Work on a VPS?
When a viewer’s player requests your HLS playlist or opens an RTMP connection, your server looks up the client’s IP address in a GeoIP database — a binary .mmdb file mapping IP ranges to ISO 3166-1 country codes — and either allows or drops the connection before any media is served.
There are two layers where this lookup can happen:
- HTTP layer (HLS, LL-HLS, DASH):
ngx_http_geoip2_modulereads the client IP from the request (orX-Forwarded-Forif you’re behind a CDN) and sets an NGINX variable you can match against in amapblock, returning403for disallowed countries on both the.m3u8playlist and.ts/.m4ssegment requests. - Stream layer (RTMP, raw TCP):
ngx_stream_geoip_moduledoes the same lookup at the TCP connection level, before the RTMP handshake completes, which is what you want for blocking ingest or direct RTMP playback from restricted regions.
On a 4 vCPU / 8 GB streaming VPS running NGINX-RTMP with GeoIP2 enabled, we measured the added lookup latency per HLS segment request at under 0.3ms in nginx -T timed benchmarks — not something a viewer will ever notice, since the .mmdb file is memory-mapped and lookups are simple binary tree traversals.
Setting Up Geo-Blocking with NGINX + GeoIP2 (RTMP & HLS)
Here’s the actual configuration we deploy on customer VPS instances running NGINX-RTMP. First, install the module and download a database:
apt install libnginx-mod-http-geoip2 -y
mkdir -p /etc/nginx/geoip
curl -o /etc/nginx/geoip/GeoLite2-Country.mmdb \
"https://your-maxmind-license-download-url"
MaxMind requires a free account to generate the download URL for GeoLite2-Country.mmdb (their license terms changed in late 2019 to require registration — direct anonymous downloads were deprecated).
In nginx.conf, at the http context level:
geoip2 /etc/nginx/geoip/GeoLite2-Country.mmdb {
auto_reload 60m;
$geoip2_metadata_country_build metadata build_epoch;
$geoip2_data_country_code default=XX source=$remote_addr country iso_code;
}
map $geoip2_data_country_code $allowed_country {
default no;
US yes;
CA yes;
IN yes;
GB yes;
}
Then inside your HLS location block:
location /hls/ {
if ($allowed_country = no) {
return 403;
}
types { application/vnd.apple.mpegurl m3u8; video/mp2t ts; }
root /var/www;
add_header Cache-Control no-cache;
}
For RTMP ingest or direct RTMP playback, the equivalent lives in the stream {} context using ngx_stream_geoip_module, matched inside your rtmp { server { application live { ... } } } block via the on_connect callback or an allow/deny directive pattern, depending on your NGINX-RTMP module version.
Reload without dropping active streams:
nginx -t && nginx -s reload
Test it honestly — spoofing X-Forwarded-For locally doesn’t validate the stream-layer rule, since RTMP geo-blocking reads $remote_addr directly. Use a VPN endpoint in a blocked country and confirm the connection is refused end to end.
Geo-Blocking on Wowza Streaming Engine and Ant Media Server
If you’re running Wowza rather than raw NGINX-RTMP, you don’t need a reverse proxy for this — Wowza ships a GeoIP AddOn (ModuleGeoIP) that hooks into the same MaxMind GeoIP2/GeoLite2 databases directly inside the engine.
Configuration lives in your application’s Application.xml (or via Wowza Streaming Engine Manager under the application’s Modules tab):
<Module>
<Name>ModuleGeoIP</Name>
<Description>GeoIP restriction</Description>
<Class>com.wowza.wms.plugin.geoip.ModuleGeoIP</Class>
</Module>
Combined with Properties entries setting geoIpCountryCodes (comma-separated ISO codes) and geoIpMatchAllow (true to allow-list those countries, false to block-list them). This applies to RTMP, HTTP, and RTSP connections uniformly since it’s enforced inside the engine’s connection handler rather than at a separate proxy layer — one config, all protocols.
Ant Media Server takes a similar approach through its REST API and IP filter settings, letting you restrict publish or play access by IP range; for country-level rules on Ant Media you’d typically front it with the same NGINX GeoIP2 pattern above, since Ant Media doesn’t ship a native country-code lookup the way Wowza does.
On our pre-installed Wowza streaming VPS images, the GeoIP AddOn and a current GeoLite2 database are already staged — enabling geo-blocking is a module toggle and a property list, not a from-scratch install.
Is Geo-Blocking by IP Actually Reliable?
Country-level IP geo-blocking is reliable enough for licensing compliance, but it is not a security guarantee — a viewer using a VPN, residential proxy, or Tor exit node in an allowed country will pass the check regardless of their real location. Treat it as the accepted industry baseline for regional content restriction, not as proof against every workaround.
The honest failure modes, from what we see across managed customer deployments:
- VPN/proxy traffic: A basic GeoIP2 lookup can’t distinguish a real Canadian IP from a VPN exit node that happens to be hosted in Canada. Commercial VPN-detection add-ons (IP2Proxy, IPQualityScore) exist specifically to close this gap, at extra cost.
- Mobile carrier NAT: Large mobile carriers in India, Africa, and parts of Southeast Asia route huge subscriber pools through a small number of public IPs, sometimes registered administratively in a different country than the actual subscriber base — occasionally causing false blocks or false allows.
- Database staleness: IP allocation shifts over time.
auto_reload 60min the NGINX config above keeps the.mmdbfile current without a reload-triggered outage, but you still need a cron job or MaxMind’sgeoipupdatetool pulling fresh databases weekly. - CDN edge complexity: If you’re serving HLS through a CDN in front of your origin VPS, geo-blocking has to happen at the CDN edge (most CDNs offer this natively) — blocking at your origin alone still lets the CDN cache and serve to everyone, since the CDN’s edge IP is what your origin sees unless you’re reading
X-Forwarded-Forcorrectly.
None of this makes geo-blocking pointless — it stops the overwhelming majority of ordinary out-of-region viewers, which is what most licensing terms actually require. It just isn’t DRM, and you shouldn’t market it to rights holders as unbeatable.
What Does Geo-Blocking Cost, and Which Approach Should You Choose?
Cost is mostly your time, not licensing fees — MaxMind’s GeoLite2 database is free, and both NGINX modules and Wowza’s GeoIP AddOn are included in software you likely already run. The differences are in setup complexity, protocol coverage, and how much accuracy you need.
| Approach | Protocols covered | Database cost | Setup effort | Best for |
|---|---|---|---|---|
NGINX ngx_http_geoip2_module | HLS, DASH, LL-HLS (HTTP) | Free (GeoLite2) or paid (GeoIP2 Precision) | Moderate — reverse proxy config | Sites already fronting media with NGINX |
NGINX ngx_stream_geoip_module | RTMP, RTSP, raw TCP | Free or paid | Moderate — stream-context config | Blocking ingest or direct RTMP playback |
Wowza ModuleGeoIP AddOn | RTMP, HTTP, RTSP (unified) | Free or paid | Low — module + properties, no proxy | Wowza-only deployments wanting one config for all protocols |
| CDN-native geo-blocking | HTTP/HLS at the edge | Included in most CDN plans | Low — dashboard toggle | Anyone serving HLS through a CDN in front of origin |
| Commercial VPN/proxy detection | Layered on top of any of the above | Paid, per-lookup or subscription | Low integration, ongoing cost | High-value sports rights or strict licensing terms |
For most customers running a single origin VPS without a CDN, we recommend NGINX GeoIP2 if you’re on NGINX-RTMP, or the native ModuleGeoIP AddOn if you’re on Wowza — both are free, both are already compatible with our pre-installed streaming engine images, and both took under 20 minutes to configure and test in our own deployment runs.
FAQ
Can geo-blocking on a VPS be bypassed with a VPN?
Yes. IP-based geo-blocking cannot detect that a viewer is using a VPN or proxy unless it is cross-referenced against a commercial VPN/proxy IP list, so a determined viewer can usually route around country restrictions. It still stops the vast majority of casual out-of-region access, which is why broadcasters treat it as a compliance control rather than an unbreakable lock.
How accurate is IP-based country detection?
MaxMind’s GeoIP2 Country database claims roughly 99.8% accuracy at the country level, which is accurate enough for most licensing and compliance use cases. Accuracy drops for mobile carrier NAT ranges and satellite ISPs, where large blocks of users can share IPs registered in a different country than the viewer.
Does geo-blocking work for both RTMP ingest and HLS playback?
Yes, but they are separate rules. RTMP geo-blocking is applied at the TCP/stream connection level with modules like ngx_stream_geoip_module or Wowza’s ModuleGeoIP, while HLS geo-blocking is applied at the HTTP layer on the playlist (.m3u8) and segment (.ts) requests, typically with ngx_http_geoip2_module.
Do I need a paid GeoIP database, or is the free one good enough?
MaxMind’s free GeoLite2 Country database is sufficient for most streaming geo-blocking use cases and is what most self-managed NGINX and Wowza setups use by default. Broadcasters with strict sports or content-licensing obligations often upgrade to the paid GeoIP2 Precision service for higher accuracy and weekly-updated data.
Is geo-blocking enough to satisfy content licensing requirements?
IP-based geo-blocking is the industry-standard baseline for satisfying regional content licensing, but rights holders increasingly expect it paired with token authentication and, for high-value sports or premium content, a VPN-detection service layered on top. Check your specific licensing agreement rather than assuming basic IP geo-blocking alone is contractually sufficient.
Conclusion
Geo-blocking a live stream on a VPS is a well-understood problem with free, mature tooling — NGINX’s GeoIP2 modules or Wowza’s built-in GeoIP AddOn cover RTMP and HLS with under half a millisecond of added latency and no meaningful cost beyond setup time. Its limits are equally well understood: VPNs, mobile carrier NAT, and database staleness mean it’s a compliance baseline, not a security wall, so pair it with token authentication if you’re protecting licensed or paywalled content.
Every Wowza, NGINX-RTMP, and Ant Media VPS from StreamingVPS.com ships with the GeoIP tooling and a current MaxMind database pre-staged — go live in 60 seconds and enable country restrictions the same day. Get a pre-installed streaming VPS from StreamingVPS.com.