Blocking tens of thousands of IP's

Jeff Dyke jeff.dyke at gmail.com
Tue Nov 1 21:46:21 UTC 2016


what is your firewall?, that is the place to block subnets etc, i assume
they are not random ips, they are likely from a block owned by someone??

On Tue, Nov 1, 2016 at 5:37 PM, CJ Ess <zxcvbn4038 at gmail.com> wrote:

> I don't think managing large lists of IPs is nginx's strength - as far as
> I can tell all of its ACLs are arrays that have the be iterated through on
> each request.
>
> When I do have to manage IP lists in Nginx I try to compress the lists
> into the most compact CIDR representation so there is less to search. Here
> is a perl snippet I use to do that (handles ipv4 and ipv6):
>
> #!/usr/bin/perl
>
> use NetAddr::IP;
>
> my @addresses;
>
> foreach my $subnet (split(/\s+/, $list_of_ips)) {
>   push(@addresses, NetAddr::IP->new($subnet));
> }
>
> foreach my $cidr (NetAddr::IP::compact(@addresses)) {
>   if ($cidr->version == 4) {
>     print $cidr . "\n";
>   } else {
>     print $cidr->short() . "/" . $cidr->masklen() . "\n";
> }
>
>
> On Tue, Nov 1, 2016 at 11:15 AM, Cox, Eric S <eric.cox at kroger.com> wrote:
>
>> Is anyone aware of a difference performance wise between using
>>
>>
>>
>> return 403;
>>
>>
>>
>> vs
>>
>>
>>
>> deny all;
>>
>>
>>
>> When mapping against a list of tens of thousands of ip?
>>
>>
>>
>> Thanks
>>
>> ------------------------------
>>
>> This e-mail message, including any attachments, is for the sole use of
>> the intended recipient(s) and may contain information that is confidential
>> and protected by law from unauthorized disclosure. Any unauthorized review,
>> use, disclosure or distribution is prohibited. If you are not the intended
>> recipient, please contact the sender by reply e-mail and destroy all copies
>> of the original message.
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20161101/719643bd/attachment.html>


More information about the nginx mailing list