Blocking tens of thousands of IP's
CJ Ess
zxcvbn4038 at gmail.com
Tue Nov 1 21:37:59 UTC 2016
I don't think managing large lists of IPs is nginx's strength - as far as I
can tell all of its ACLs are arrays that have the be iterated through on
each request.
When I do have to manage IP lists in Nginx I try to compress the lists into
the most compact CIDR representation so there is less to search. Here is a
perl snippet I use to do that (handles ipv4 and ipv6):
#!/usr/bin/perl
use NetAddr::IP;
my @addresses;
foreach my $subnet (split(/\s+/, $list_of_ips)) {
push(@addresses, NetAddr::IP->new($subnet));
}
foreach my $cidr (NetAddr::IP::compact(@addresses)) {
if ($cidr->version == 4) {
print $cidr . "\n";
} else {
print $cidr->short() . "/" . $cidr->masklen() . "\n";
}
On Tue, Nov 1, 2016 at 11:15 AM, Cox, Eric S <eric.cox at kroger.com> wrote:
> Is anyone aware of a difference performance wise between using
>
>
>
> return 403;
>
>
>
> vs
>
>
>
> deny all;
>
>
>
> When mapping against a list of tens of thousands of ip?
>
>
>
> Thanks
>
> ------------------------------
>
> This e-mail message, including any attachments, is for the sole use of the
> intended recipient(s) and may contain information that is confidential and
> protected by law from unauthorized disclosure. Any unauthorized review,
> use, disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20161101/acbd9597/attachment.html>
More information about the nginx
mailing list