geo-ip + nginx

Payam Chychi pchychi at gmail.com
Fri May 29 22:55:03 MSD 2009


2009/5/29 Igor Sysoev <is at rambler-co.ru>:
> On Fri, May 29, 2009 at 11:16:29AM -0700, Payam Chychi wrote:
>
>> 2009/5/28 Igor Sysoev <is at rambler-co.ru>:
>> > On Thu, May 28, 2009 at 08:46:13AM -0700, Payam Chychi wrote:
>> >
>> >> 2009/5/28 Igor Sysoev <is at rambler-co.ru>:
>> >> > On Thu, May 28, 2009 at 08:21:16AM -0700, Payam Chychi wrote:
>> >> >
>> >> >> hey guys,
>> >> >>
>> >> >> anyone know the upper limits of number of acl lines for geo-ip /w
>> >> >> nginx? I have a list of 7000 lines and i feel that i might be hitting
>> >> >> a performance wall at 20-30mbps of request (6-9k req/sec)
>> >> >> boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram
>> >> >
>> >> > If you use geo variables, then there is no limit.
>> >> > I use about 200,000 addreses.
>> >> >
>> >> >
>> >> > --
>> >> > Igor Sysoev
>> >> > http://sysoev.ru/en/
>> >> >
>> >> >
>> >>
>> >> I see, so I assume you load the entire 200k list once, then refer back
>> >> to it for one/or/more configs? the way i am doing it is I have 1
>> >> global list that applies to all configs then I also have a 2nd list
>> >> that applies to individual configs0
>> >
>> > We use single geo variables for geo targeting, but not for blocking.
>> >
>> >> 1st list drops all known back hosts (default = ddos)
>> >> 2nd list allows connections only from particular sources that match
>> >> the list (default = 0)
>> >>
>> >> ever have any issues loading multiple lists in geo with different variables?
>> >
>> > No issues.
>> >
>> >> ex:
>> >>       location / {
>> >>                if (  $ddos_ru = ddos ){
>> >>                         return 403;
>> >>                         break;
>> >>                 }
>> >>
>> >>                if ( $geo2 = 0 ) {
>> >>                         return 403;
>> >>                         break;
>> >>                 }
>> >
>> > These "break"s are useless.
>> >
>> > Also I prefer these way:
>> >
>> > geo $ddos_ru {
>> >    default  1;
>> >    ...      0;
>> >    ...      0;
>> >    ...      0;
>> > }
>> >
>> > geo $geo2 {
>> >    default  1;
>> >    ...      0;
>> >    ...      0;
>> >    ...      0;
>> > }
>> >
>> >       if ($ddos_ru) {
>> >           return 403;
>> >       }
>> >
>> >       if ($geo2) {
>> >           return 403;
>> >       }
>> >
>> >>
>> >>          proxy_pass              http://LB_HTTP_x.x.x.x;
>> >>        proxy_intercept_errors on;
>> >>        proxy_cache             one;
>> >>          proxy_cache_key         x.x.x.x$request_uri;
>> >>          proxy_cache_valid       200  1h;
>> >>        proxy_cache_valid       404 5m;
>> >>          proxy_cache_use_stale   error timeout invalid_header;
>> >>          }
>> >>
>> >>
>> >> --
>> >> Payam Tarverdyan Chychi
>> >> Network Security Specialist / Network Engineer
>> >
>> > --
>> > Igor Sysoev
>> > http://sysoev.ru/en/
>> >
>> >
>>
>> Hey Igor,
>>
>> I can see why... loos good however, i am trying to move towards a
>> master list (geo2) that has multiple different variables as it is a
>> ip-->country mapping database so the suggestion wont work... i dont
>> believe. I am trying to allow a setup where i can say "only allow
>> connections from CA and EU" type of thing. Here is what i got:
>>
>> action=deny;
>>
>>  geo $geo2 {
>>     default  1;
>>     ...      CA;
>>     ...      US;
>>     ...      EU;
>>
>>        }
>>
>>        if ($geo2 = 'CA|EU') {
>>            set $action "permit";
>>       }
>>
>>
>>   if ($action ~* "permit") {
>>          proxy_pass              http://LB_HTTP_x.x.x.x;
>>          break;
>>    }
>>
>>   if ($action !~ "permit") {
>>         return 403;
>>    }
>
> No, do not use proxy_pass inside "if" if it's possible to configure
> proxy_pass in different way.  The "return" is only directive that
> works inside "if" as anyone may expect. Other have hidden agendas.
>
> So
>
>    if ($geo2 !~* "CA|EU") {
>         return 403;
>    }
>
>    proxy_pass  http://LB_HTTP_x.x.x.x;
>
> However, I prefer to create exact geo map with just two values - 0 and 1.
>
>
> --
> Igor Sysoev
> http://sysoev.ru/en/
>
>

i see, ok great advice :)  Thank you

-- 
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer





More information about the nginx mailing list