Blocking tens of thousands of IP's
Maxim Dounin
mdounin at mdounin.ru
Wed Nov 2 12:57:31 UTC 2016
Hello!
On Tue, Nov 01, 2016 at 05:37:59PM -0400, CJ Ess wrote:
> I don't think managing large lists of IPs is nginx's strength - as far as I
> can tell all of its ACLs are arrays that have the be iterated through on
> each request.
>
> When I do have to manage IP lists in Nginx I try to compress the lists into
> the most compact CIDR representation so there is less to search. Here is a
> perl snippet I use to do that (handles ipv4 and ipv6):
Yes, the "allow" / "deny" directives do sequential scan of address
blocks specified, and this may not be very efficient when working
with large sets of IPs.
For large lists of IPs it's usually better idea to use the geo
module, combined with if/return:
geo $blocked {
defaul 0;
192.2.0.0/16 1;
...
}
if ($blocked) {
return 403;
}
Documentation is here:
http://nginx.org/en/docs/http/ngx_http_geo_module.html
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list