from Hacker News

GDPR for side-projects? Blocking all EU traffic with Nginx in 3 simple steps

by ummjackson on 5/18/18, 3:37 PM with 51 comments

• by salad77 on 5/18/18, 3:58 PM

  But for compliance many interpretations say it's EU /citizens/; I don't think there are 3 simple steps to block any EU citizen...

  I'm sure many Governments would love to be able to so simply identify what their citizens do online though.

• by cpc26 on 5/18/18, 6:30 PM

  Unless your side project is a Bot-Net this article seems very FUDDY...

• by cpburns2009 on 5/18/18, 6:50 PM

  While this sounds like an overreaction, I question the breadth of this method (unrelated to the reliability of IP address origin).

  > This tells nginx to assign the $allow_visit variable a 0 for any users the GeoIP database specifies as coming from the “EU” continent.

  Europe is the continent. The EU does not encompass all European countries. Doesn't this needlessly block non-EU European countries?

• by LinuxBender on 5/18/18, 5:24 PM

  Geo IP blocking will not block the EU citizens that are not physically in the EU at the time.

  Just for fun, I would add

      server {
          # snip....
          access_log  off;
          error_log   off;
          return 307 https://www.google.com/search?q=gdpr;
      }
  

  That should block anyone that might be a EU citizen. /s

• by ilovetux on 5/18/18, 9:16 PM

  Along with the author, I am hesitant to needlessly follow regulations which only apply to a small portion of global population of which I am not a part. Especially since there are simple ways to sidestep the liability.

  This, however, does give me an idea. Does anyone have an interest in a web framework which provides user/data management in a gdpr compliant way?

• by lrpublic on 5/18/18, 8:38 PM

  This seems to be flawed logic, many EU devices have IP addresses from non EU address blocks.

  Assuming there is any significant adoption of your proposed solution to avoid GDPR rules the likelyhood is EU citizens will use VPN or Proxy services to bypass the restrictions.

  I don’t think the use of a VPN would remove the GDPR obligations on the data controller or data processor.

• by olliej on 5/18/18, 5:15 PM

  If you have a side project that siphons personal information from people for no reason, then maybe the gdpr isn’t the problem...

• by hathathat on 5/18/18, 5:24 PM

  What would be a GDPR-compliant yet useful access_log setting?

• by splintercell on 5/18/18, 5:13 PM

  HN crowd loves GDPR, so get ready for this never making to the front page.