geo-ip + nginx

Payam Chychi pchychi at gmail.com
Fri May 29 22:16:29 MSD 2009 

2009/5/28 Igor Sysoev <is at rambler-co.ru>:
> On Thu, May 28, 2009 at 08:46:13AM -0700, Payam Chychi wrote:
>
>> 2009/5/28 Igor Sysoev <is at rambler-co.ru>:
>> > On Thu, May 28, 2009 at 08:21:16AM -0700, Payam Chychi wrote:
>> >
>> >> hey guys,
>> >>
>> >> anyone know the upper limits of number of acl lines for geo-ip /w
>> >> nginx? I have a list of 7000 lines and i feel that i might be hitting
>> >> a performance wall at 20-30mbps of request (6-9k req/sec)
>> >> boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram
>> >
>> > If you use geo variables, then there is no limit.
>> > I use about 200,000 addreses.
>> >
>> >
>> > --
>> > Igor Sysoev
>> > http://sysoev.ru/en/
>> >
>> >
>>
>> I see, so I assume you load the entire 200k list once, then refer back
>> to it for one/or/more configs? the way i am doing it is I have 1
>> global list that applies to all configs then I also have a 2nd list
>> that applies to individual configs0
>
> We use single geo variables for geo targeting, but not for blocking.
>
>> 1st list drops all known back hosts (default = ddos)
>> 2nd list allows connections only from particular sources that match
>> the list (default = 0)
>>
>> ever have any issues loading multiple lists in geo with different variables?
>
> No issues.
>
>> ex:
>>       location / {
>>                if (  $ddos_ru = ddos ){
>>                         return 403;
>>                         break;
>>                 }
>>
>>                if ( $geo2 = 0 ) {
>>                         return 403;
>>                         break;
>>                 }
>
> These "break"s are useless.
>
> Also I prefer these way:
>
> geo $ddos_ru {
>    default  1;
>    ...      0;
>    ...      0;
>    ...      0;
> }
>
> geo $geo2 {
>    default  1;
>    ...      0;
>    ...      0;
>    ...      0;
> }
>
>       if ($ddos_ru) {
>           return 403;
>       }
>
>       if ($geo2) {
>           return 403;
>       }
>
>>
>>          proxy_pass              http://LB_HTTP_x.x.x.x;
>>        proxy_intercept_errors on;
>>        proxy_cache             one;
>>          proxy_cache_key         x.x.x.x$request_uri;
>>          proxy_cache_valid       200  1h;
>>        proxy_cache_valid       404 5m;
>>          proxy_cache_use_stale   error timeout invalid_header;
>>          }
>>
>>
>> --
>> Payam Tarverdyan Chychi
>> Network Security Specialist / Network Engineer
>
> --
> Igor Sysoev
> http://sysoev.ru/en/
>
>

Hey Igor,

I can see why... loos good however, i am trying to move towards a
master list (geo2) that has multiple different variables as it is a
ip-->country mapping database so the suggestion wont work... i dont
believe. I am trying to allow a setup where i can say "only allow
connections from CA and EU" type of thing. Here is what i got:

action=deny;

 geo $geo2 {
    default  1;
    ...      CA;
    ...      US;
    ...      EU;

       }

       if ($geo2 = 'CA|EU') {
           set $action "permit";
      }


  if ($action ~* "permit") {
         proxy_pass              http://LB_HTTP_x.x.x.x;
         break;
   }

  if ($action !~ "permit") {
        return 403;
   }

-- 
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer

More information about the nginx mailing list