In the process of making Beamtic sites GDPR complaint, I have decided to make some changes to the way I collect consent from users. Some website owners decide to simply show the consent dialog to all their users, and thereby avoid having to deal with GEO location. I used to take that approach, but I realize this was a mistake.
Without getting into too many details, I think it was a mistake because I disagree with the requirement to show these consent dialogs. They are quite simply toxic for UX (users) and both unfair and unreasonable for website owners (that is us). The problem the EU seeks to address should likely be solved in the browser – and certainly not by individual site owners.
Because of the above, I have decided to install a module for my web-server (Apache), which enables me to perform easy GEO location lookups. This allows me to only show the consent dialog to users within the EEA (European Economic Area).
The module I am using is called mod_maxminddb and can be easily installed on an Apache production server. I am not sure how to install this on my local development server yet, since it could (would?) give unexpected results with local IP-addresses. If that is the case, then it is likely nothing that can not be accounted for with a if else statement in PHP.
Note that this only covers the technical aspect of installing the module, not how to create the consent dialog mechanism itself, or how to fulfill the requirements of GDPR.
Before installing the module, you also need to install the libmaxminddb library. This can be installed via PPA in Ubuntu. More info here: https://github.com/maxmind/libmaxminddb/blob/master/README.md
You also need to install the dev package for your apache version, in my case, this was done like below:
sudo apt install apache2-dev
If you have not installed the apache2-dev package, you might get errors such as this configure: error: apxs not found. set apxs with --with-apxs.
How to install mod_maxminddb
The module itself is actually surprisingly easy to install. However, it did take some time for me to understand exactly what I had to do. I was not very familiar with installing from tarballs, so this was my first roadblock. My problem was, I could not find where to download the tarball file mentioned in the documentation. It turns out you just have to click on the releases tab on their GitHub repository, and the tarballs are available for download from there.
Installing from the tarball is covered in their documentation, here: http://maxmind.github.io/mod_maxminddb/. But I will also repeat the steps in the article. Please check the official documentation for updated instructions!
If you are trying to install on your live server, likely in the cloud or on a server with your hosting company, you can download the tarball using the wget command, and then extract the file before running the commands found in the official documentation. I am personally Ubuntu, but this should also work for other distributions as well.
The exact steps I took to install mod_maxminddb was as follows:
- cd /home/[YOUR_USER]
- wget [URL_TO_TARBALL_FILE]
- tar -xvzf [PATH_TO_TARBALL_FILE]
- cd [PATH_TO_EXTRACTED_TARBALL]
- make install
This automatically installed and enabled the module. All I had to do afterwards was to update my Apache configuration files, and download a database from maxmind. The database file has to be linked in the configuration file. Inside the configuration files I added the following:
MaxMindDBEnable On MaxMindDBFile COUNTRY_DB /usr/local/share/GeoIP/GeoLite2-Country.mmdb MaxMindDBFile CITY_DB /usr/local/share/GeoIP/GeoLite2-City.mmdb MaxMindDBEnv COUNTRY_CODE COUNTRY_DB/country/iso_code MaxMindDBEnv CONTINENT_CODE CITY_DB/continent/code
Since I am hosting multiple sites on my server, I added this in a VHOST file in /etc/apache2/sites-available, but you can also use .htaccess files or the main configuration.
The database will also need to be extracted after downloading it. Again, simply use wget to download the database file from maxminds website. Databases are found here: https://dev.maxmind.com/geoip/geoip2/geolite2/
After updating the configuration, remember to restart the server with service apache2 restart
If you did everything correctly, you should now be able to access GEO information via the $_SERVER global in PHP. I.e.:
echo $_SERVER['COUNTRY_CODE']; // Sometimes return unexpected values (I.e. A1|A2|EU|AP) // See: https://dev.maxmind.com/geoip/legacy/mod_geoip2/ for more information
Knowing if the user is in the EEA
There should be no need to maintain a secondary list of countries in Europe to compare against. Instead, using the city database, we add the following to Apaches configuration:
MaxMindDBEnv CONTINENT_CODE CITY_DB/continent/code
This gives us access to the "CONTINENT_CODE" variable. In PHP this may be accessed via the $_SERVER global:
This is better than manually comparing the COUNTRY_CODE variable with a list of EU countries, since you do not have to account for unexpected values in the COUNTRY_CODE, such as A1 for proxy servers. All we really care about is the client IP address, regardless if they are using a proxy.
If you want to tell if someone is a EU citizen, rather than relying on GEO location, it is probably best to have a login system, and have them give you this information when they sign up. It does not matter that they might give you inaccurate information, since it will be their own responsibility to keep the information accurate.