General Data Protection Regulation (GDPR). If you a business owner. It is something you must know.
I am not a lawer. But basically, if your system does some business to EU or EEA(European Economic Area) users through web sites, You must comply with GDPR, otherwise you can be fined €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements.
Again I am now a lawyer, but I felt just scary when I launched websites before. So I will share how we can avoid for our system to be scoped for GDPR. (Please don't suit me if you find problem below. I am not responsible.)
#1.Premise
1-1. Who is this article for?
Some one who build systems with following environments.
- Applications runs on Google Kubernetes Engine.
- Your application runs behind nginx and ingress.
1-2. Premise: What we going to do.
We will block all the https requests from EU/EEA countries.
1-3. Premise: How we can proceed
Procedure
- Configure IAM Role 1min
- Configure load balancer to send client country code to backend services. 1min
- Configure nginx to block requests from EU/EEA countries 5 min
- Done!
Reference. Razer Blade Community
#2.Block EU/EEA Users
2-1. Configure IAM Role 1min
Go to Google Cloud IAM Console and find your service account to set up following steps from your console. If you don't know? enter gcloud info, you will find account name in Current Properties section.
And set Compute Admin role to the user. It allows us to update load balancers in the next step.
2-2. Configure load balancers to send client country code to backend services. 1min
Go to Google Cloud Load Balancer Console. And check their names, for example k8s-be-98765--abcdef1234567891.
Open console in your pc, and execute folllowing command. If you have more than two load balancers, execute the command for all of them. It makes your load balancer to set header client country code such as US for United States or JP for Japan as X-Client-Region and send it to backend services.
gcloud compute backend-services update {name of load balancer} --global --custom-request-header 'X-Client-Region:{client_region}'
2-3. Configure nginx to block requests from EU/EEA countries 5 min
Now your enginx can receive country codes from google load balancer(ingress). So block requests if is is one of EU/EEA countries.
Configure your nginx.conf as follows and deploy it to your cluster.
*****removed here ****
http {
map $http_x_client_region $allowed_country {
default yes;
AT no;
BE no;
BG no;
HR no;
CY no;
CZ no;
DK no;
EE no;
FI no;
FR no;
DE no;
EL no;
HU no;
IE no;
IT no;
LV no;
LT no;
LU no;
MT no;
NL no;
PL no;
PT no;
RO no;
SK no;
SI no;
ES no;
SE no;
NO no;
IS no;
LI no;
}
server {
*****removed here ****
if ($allowed_country = no) {
return 403;
}
*****removed here ****
}
}
2-4. Done!
Now test if requests from the listed countries are blocked by nginx. I assume that your are not in EU/EEA, so just add your country code in nginx.conf at the previous step. The if you try to access to your site, the 403 forbidden page will appear.
Congratulations!
3.Tips
If you search how to block requests from specific countries, you will find articles which uses MaxMind. It will be alternative solution.
4.Links
- Google Cloud Load Balancer Creating user-defined request headers