Blocking tens of thousands of IP's
francis at daoine.org
Thu Nov 3 19:00:35 UTC 2016
On Tue, Nov 01, 2016 at 03:15:45PM +0000, Cox, Eric S wrote:
> Is anyone aware of a difference performance wise between using
> return 403;
> deny all;
> When mapping against a list of tens of thousands of ip?
I think the answer is "no".
I would expect that "return 403" would be quicker, since the rewrite
phase happens before the access phase. But I also suspect that the
"checking the list of tens of thousands" that would have to happen first,
would swamp any difference.
I think that the general rule is that if you do not measure a difference,
there is not an important difference to you.
And yes, use "geo" rather than "map" or any other list.
(Or: build one of each in your lab and measure.)
Francis Daly francis at daoine.org
More information about the nginx