Blocking tens of thousands of IP's

Maxim Dounin mdounin at
Wed Nov 2 12:57:31 UTC 2016


On Tue, Nov 01, 2016 at 05:37:59PM -0400, CJ Ess wrote:

> I don't think managing large lists of IPs is nginx's strength - as far as I
> can tell all of its ACLs are arrays that have the be iterated through on
> each request.
> When I do have to manage IP lists in Nginx I try to compress the lists into
> the most compact CIDR representation so there is less to search. Here is a
> perl snippet I use to do that (handles ipv4 and ipv6):

Yes, the "allow" / "deny" directives do sequential scan of address 
blocks specified, and this may not be very efficient when working 
with large sets of IPs.

For large lists of IPs it's usually better idea to use the geo 
module, combined with if/return:

   geo $blocked {
       defaul       0; 1;

   if ($blocked) {
       return 403;

Documentation is here:

Maxim Dounin

More information about the nginx mailing list