Forum: NGINX geo-ip + nginx

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Payam C. (Guest)
on 2009-05-28 19:30
(Received via mailing list)
hey guys,

anyone know the upper limits of number of acl lines for geo-ip /w
nginx? I have a list of 7000 lines and i feel that i might be hitting
a performance wall at 20-30mbps of request (6-9k req/sec)
boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram

Thanks
Igor S. (Guest)
on 2009-05-28 19:48
(Received via mailing list)
On Thu, May 28, 2009 at 08:21:16AM -0700, Payam C. wrote:

> hey guys,
>
> anyone know the upper limits of number of acl lines for geo-ip /w
> nginx? I have a list of 7000 lines and i feel that i might be hitting
> a performance wall at 20-30mbps of request (6-9k req/sec)
> boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram

If you use geo variables, then there is no limit.
I use about 200,000 addreses.
Payam C. (Guest)
on 2009-05-28 19:55
(Received via mailing list)
2009/5/28 Igor S. <removed_email_address@domain.invalid>:
> I use about 200,000 addreses.
>
>
> --
> Igor S.
> http://sysoev.ru/en/
>
>

I see, so I assume you load the entire 200k list once, then refer back
to it for one/or/more configs? the way i am doing it is I have 1
global list that applies to all configs then I also have a 2nd list
that applies to individual configs0

1st list drops all known back hosts (default = ddos)
2nd list allows connections only from particular sources that match
the list (default = 0)

ever have any issues loading multiple lists in geo with different
variables?

ex:
      location / {
               if (  $ddos_ru = ddos ){
                        return 403;
                        break;
                }

               if ( $geo2 = 0 ) {
                        return 403;
                        break;
                }


         proxy_pass              http://LB_HTTP_x.x.x.x;
   proxy_intercept_errors on;
   proxy_cache             one;
         proxy_cache_key         x.x.x.x$request_uri;
         proxy_cache_valid       200  1h;
   proxy_cache_valid       404 5m;
         proxy_cache_use_stale   error timeout invalid_header;
         }
Igor S. (Guest)
on 2009-05-28 20:03
(Received via mailing list)
On Thu, May 28, 2009 at 08:46:13AM -0700, Payam C. wrote:

> > If you use geo variables, then there is no limit.
> to it for one/or/more configs? the way i am doing it is I have 1
> global list that applies to all configs then I also have a 2nd list
> that applies to individual configs0

We use single geo variables for geo targeting, but not for blocking.

> 1st list drops all known back hosts (default = ddos)
> 2nd list allows connections only from particular sources that match
> the list (default = 0)
>
> ever have any issues loading multiple lists in geo with different variables?

No issues.

>                 }
These "break"s are useless.

Also I prefer these way:

geo $ddos_ru {
    default  1;
    ...      0;
    ...      0;
    ...      0;
}

geo $geo2 {
    default  1;
    ...      0;
    ...      0;
    ...      0;
}

       if ($ddos_ru) {
           return 403;
       }

       if ($geo2) {
           return 403;
       }
Payam C. (Guest)
on 2009-05-29 22:24
(Received via mailing list)
2009/5/28 Igor S. <removed_email_address@domain.invalid>:
>> >> boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram
>>
>>
>>
>    default  1;
> }
>>          proxy_pass              http://LB_HTTP_x.x.x.x;
>> Payam Tarverdyan Chychi
>> Network Security Specialist / Network Engineer
>
> --
> Igor S.
> http://sysoev.ru/en/
>
>

Hey Igor,

I can see why... loos good however, i am trying to move towards a
master list (geo2) that has multiple different variables as it is a
ip-->country mapping database so the suggestion wont work... i dont
believe. I am trying to allow a setup where i can say "only allow
connections from CA and EU" type of thing. Here is what i got:

action=deny;

 geo $geo2 {
    default  1;
    ...      CA;
    ...      US;
    ...      EU;

       }

       if ($geo2 = 'CA|EU') {
           set $action "permit";
      }


  if ($action ~* "permit") {
         proxy_pass              http://LB_HTTP_x.x.x.x;
         break;
   }

  if ($action !~ "permit") {
        return 403;
   }
Igor S. (Guest)
on 2009-05-29 23:02
(Received via mailing list)
On Fri, May 29, 2009 at 11:16:29AM -0700, Payam C. wrote:

> >> >> a performance wall at 20-30mbps of request (6-9k req/sec)
> >> >
> >> the list (default = 0)
> >> š š š š š š š š }
> > geo $ddos_ru {
> > š š... š š š0;
> >>
> >> --
>
>     ...      CA;
>   if ($action ~* "permit") {
>          proxy_pass              http://LB_HTTP_x.x.x.x;
>          break;
>    }
>
>   if ($action !~ "permit") {
>         return 403;
>    }

No, do not use proxy_pass inside "if" if it's possible to configure
proxy_pass in different way.  The "return" is only directive that
works inside "if" as anyone may expect. Other have hidden agendas.

So

    if ($geo2 !~* "CA|EU") {
         return 403;
    }

    proxy_pass  http://LB_HTTP_x.x.x.x;

However, I prefer to create exact geo map with just two values - 0 and
1.
This topic is locked and can not be replied to.