Geo-ip + nginx


#1

hey guys,

anyone know the upper limits of number of acl lines for geo-ip /w
nginx? I have a list of 7000 lines and i feel that i might be hitting
a performance wall at 20-30mbps of request (6-9k req/sec)
boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram

Thanks


#2

On Thu, May 28, 2009 at 08:21:16AM -0700, Payam C. wrote:

hey guys,

anyone know the upper limits of number of acl lines for geo-ip /w
nginx? I have a list of 7000 lines and i feel that i might be hitting
a performance wall at 20-30mbps of request (6-9k req/sec)
boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram

If you use geo variables, then there is no limit.
I use about 200,000 addreses.


#3

2009/5/28 Igor S. removed_email_address@domain.invalid:

I use about 200,000 addreses.


Igor S.
http://sysoev.ru/en/

I see, so I assume you load the entire 200k list once, then refer back
to it for one/or/more configs? the way i am doing it is I have 1
global list that applies to all configs then I also have a 2nd list
that applies to individual configs0

1st list drops all known back hosts (default = ddos)
2nd list allows connections only from particular sources that match
the list (default = 0)

ever have any issues loading multiple lists in geo with different
variables?

ex:
location / {
if ( $ddos_ru = ddos ){
return 403;
break;
}

           if ( $geo2 = 0 ) {
                    return 403;
                    break;
            }


     proxy_pass              http://LB_HTTP_x.x.x.x;

proxy_intercept_errors on;
proxy_cache one;
proxy_cache_key x.x.x.x$request_uri;
proxy_cache_valid 200 1h;
proxy_cache_valid 404 5m;
proxy_cache_use_stale error timeout invalid_header;
}


#4

On Thu, May 28, 2009 at 08:46:13AM -0700, Payam C. wrote:

If you use geo variables, then there is no limit.
to it for one/or/more configs? the way i am doing it is I have 1
global list that applies to all configs then I also have a 2nd list
that applies to individual configs0

We use single geo variables for geo targeting, but not for blocking.

1st list drops all known back hosts (default = ddos)
2nd list allows connections only from particular sources that match
the list (default = 0)

ever have any issues loading multiple lists in geo with different variables?

No issues.

            }

These "break"s are useless.

Also I prefer these way:

geo $ddos_ru {
default 1;
… 0;
… 0;
… 0;
}

geo $geo2 {
default 1;
… 0;
… 0;
… 0;
}

   if ($ddos_ru) {
       return 403;
   }

   if ($geo2) {
       return 403;
   }

#5

2009/5/28 Igor S. removed_email_address@domain.invalid:

boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram

default 1;
}

     proxy_pass              http://LB_HTTP_x.x.x.x;

Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer


Igor S.
http://sysoev.ru/en/

Hey Igor,

I can see why… loos good however, i am trying to move towards a
master list (geo2) that has multiple different variables as it is a
ip–>country mapping database so the suggestion wont work… i dont
believe. I am trying to allow a setup where i can say “only allow
connections from CA and EU” type of thing. Here is what i got:

action=deny;

geo $geo2 {
default 1;
… CA;
… US;
… EU;

   }

   if ($geo2 = 'CA|EU') {
       set $action "permit";
  }

if ($action ~* “permit”) {
proxy_pass http://LB_HTTP_x.x.x.x;
break;
}

if ($action !~ “permit”) {
return 403;
}


#6

On Fri, May 29, 2009 at 11:16:29AM -0700, Payam C. wrote:

a performance wall at 20-30mbps of request (6-9k req/sec)

the list (default = 0)
š š š š š š š š }
geo $ddos_ru {
š š… š š š0;

...      CA;

if ($action ~* “permit”) {
proxy_pass http://LB_HTTP_x.x.x.x;
break;
}

if ($action !~ “permit”) {
return 403;
}

No, do not use proxy_pass inside “if” if it’s possible to configure
proxy_pass in different way. The “return” is only directive that
works inside “if” as anyone may expect. Other have hidden agendas.

So

if ($geo2 !~* "CA|EU") {
     return 403;
}

proxy_pass  http://LB_HTTP_x.x.x.x;

However, I prefer to create exact geo map with just two values - 0 and
1.