Blocking tens of thousands of IP's

Lucas Rolff lucas at lucasrolff.com
Tue Nov 1 21:51:46 UTC 2016


You could very well do a small ipset together with iptables, it's fast, 
and you don't have to reload for every subnet / ip you add.
Doing it within nginx is rather.. Yeah.

-- 
Best Regards,
Lucas Rolff


Cox, Eric S wrote:
> Random, blocks, certain durations, etc. Its very random and or short 
> lived which is something we don't want to move to the firewall at the 
> moment
>
> -----Original Message-----
> *From:* Jeff Dyke [jeff.dyke at gmail.com]
> *Received:* Tuesday, 01 Nov 2016, 5:46PM
> *To:* nginx at nginx.org [nginx at nginx.org]
> *Subject:* Re: Blocking tens of thousands of IP's
>
> what is your firewall?, that is the place to block subnets etc, i 
> assume they are not random ips, they are likely from a block owned by 
> someone??
>
> On Tue, Nov 1, 2016 at 5:37 PM, CJ Ess <zxcvbn4038 at gmail.com 
> <mailto:zxcvbn4038 at gmail.com>> wrote:
>
>     I don't think managing large lists of IPs is nginx's strength - as
>     far as I can tell all of its ACLs are arrays that have the be
>     iterated through on each request.
>
>     When I do have to manage IP lists in Nginx I try to compress the
>     lists into the most compact CIDR representation so there is less
>     to search. Here is a perl snippet I use to do that (handles ipv4
>     and ipv6):
>
>     #!/usr/bin/perl
>
>     use NetAddr::IP;
>
>     my @addresses;
>
>     foreach my $subnet (split(/\s+/, $list_of_ips)) {
>       push(@addresses, NetAddr::IP->new($subnet));
>     }
>
>     foreach my $cidr (NetAddr::IP::compact(@addresses)) {
>       if ($cidr->version == 4) {
>         print $cidr . "\n";
>       } else {
>         print $cidr->short() . "/" . $cidr->masklen() . "\n";
>     }
>
>
>     On Tue, Nov 1, 2016 at 11:15 AM, Cox, Eric S <eric.cox at kroger.com
>     <mailto:eric.cox at kroger.com>> wrote:
>
>         Is anyone aware of a difference performance wise between using
>
>         return 403;
>
>         vs
>
>         deny all;
>
>         When mapping against a list of tens of thousands of ip?
>
>         Thanks
>
>
>         ------------------------------------------------------------------------
>
>         This e-mail message, including any attachments, is for the
>         sole use of the intended recipient(s) and may contain
>         information that is confidential and protected by law from
>         unauthorized disclosure. Any unauthorized review, use,
>         disclosure or distribution is prohibited. If you are not the
>         intended recipient, please contact the sender by reply e-mail
>         and destroy all copies of the original message.
>
>         _______________________________________________
>         nginx mailing list
>         nginx at nginx.org <mailto:nginx at nginx.org>
>         http://mailman.nginx.org/mailman/listinfo/nginx
>         <https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=CwMFaQ&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=cjLNEY1x_976qWvGzhCEhvWYUU4DOBVUcO97nnDYX7o&s=GwNGeoaXa46JaCsfrdl3VQZpyNHqSzWwlLq3a0UNV2I&e=>
>
>
>
>     _______________________________________________
>     nginx mailing list
>     nginx at nginx.org <mailto:nginx at nginx.org>
>     http://mailman.nginx.org/mailman/listinfo/nginx
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=CwMFaQ&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=cjLNEY1x_976qWvGzhCEhvWYUU4DOBVUcO97nnDYX7o&s=GwNGeoaXa46JaCsfrdl3VQZpyNHqSzWwlLq3a0UNV2I&e=>
>
>
>
> ------------------------------------------------------------------------
>
> This e-mail message, including any attachments, is for the sole use of 
> the intended recipient(s) and may contain information that is 
> confidential and protected by law from unauthorized disclosure. Any 
> unauthorized review, use, disclosure or distribution is prohibited. If 
> you are not the intended recipient, please contact the sender by reply 
> e-mail and destroy all copies of the original message.
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20161101/31d418af/attachment.html>


More information about the nginx mailing list