Using 2000+ ip prefixes in nginx geo module!

We’ve added 2000+ ip prefixes in a file “geo.conf” included in nginx
vhost
by using ngx-http_geo_module and received the following warning :-

2014/06/19 23:52:46 [warn] 1633#0: duplicate network “103.24.96.0/22”,
value: “tw”, old value: “tw” in /usr/local/nginx/conf/geo.conf:40
2014/06/19 23:52:46 [warn] 1633#0: duplicate network “103.251.176.0/22”,
value: “tw”, old value: “tw” in /usr/local/nginx/conf/geo.conf:50
2014/06/19 23:52:46 [warn] 1633#0: duplicate network “202.141.224.0/19”,
value: “tw”, old value: “tw” in /usr/local/nginx/conf/geo.conf:1312
2014/06/19 23:52:46 [warn] 1633#0: duplicate network “202.142.160.0/19”,
value: “tw”, old value: “tw” in /usr/local/nginx/conf/geo.conf:1355
2014/06/19 23:52:46 [warn] 1633#0: duplicate network “202.5.136.0/21”,
value: “tw”, old value: “tw” in /usr/local/nginx/conf/geo.conf:1528

Due to it, nginx showing 504 gateway error for all ips included in
geo.conf
file

On 19 June 2014 19:59, shahzaib shahzaib [email protected] wrote:

We’ve added 2000+ ip prefixes in a file “geo.conf” included in nginx vhost
by using ngx-http_geo_module and received the following warning :-

2014/06/19 23:52:46 [warn] 1633#0: duplicate network “103.24.96.0/22”,
value: “tw”, old value: “tw” in /usr/local/nginx/conf/geo.conf:40

What makes you think that this error message is incorrect?
If it’s correct and you have a duplicate entry, resolving the problem
should be pretty simple …

For testing purpose, i have added only few prefixes :-

geo {
default 0;
include geo.conf;
}

geo.conf

39.49.59.0/24 PK;
110.93.192.0/24 TW;
110.93.192.0/18 TW;
117.20.16.0/20 TW;
119.63.128.0/20 TW;
202.163.104.6/32 ARY;
203.124.63.0/24 CM;
221.132.112.0/21 TW;

Now, whenever some ip from the list send request, nginx reply with
gateway
timeout :-

curl -I
http://files.com/files/videos/2014/06/10/14023918368e3411-240.mp4
HTTP/1.1 504 Gateway Time-out
Server: nginx
Date: Thu, 19 Jun 2014 19:59:50 GMT
Content-Type: text/html
Content-Length: 176
Connection: keep-alive

In order to resolve this error, i have to manually remove a network from
the file which is 110.93.192.0/18 TW;

What so suspicious with this prefix 110.93.192.0/18 TW ? Why it is
causing
to crash every other requests ?

On Fri, Jun 20, 2014 at 12:07 AM, Jonathan M.
<[email protected]

These 2 overlap

110.93.192.0/24 http://110.93.192.0/24 TW;
110.93.192.0/18 http://110.93.192.0/18 TW;

The /24 is within the /18. In this instance you want to remove the /24.

It might be worth investigating if you’ve got any others that overlap. I
think you can probably override with a different country code but using
the same makes no sense.

Steve.

Issue will only resolve once i remove 110.93.192.0/18 US; from geo.conf.

On Fri, Jun 20, 2014 at 9:55 AM, shahzaib shahzaib
[email protected]

I removed /24 on per your suggestion and also used different code for
override but the issue persists. Modified geo.conf :-

39.49.59.0/24 PK;
110.93.192.0/18 US;
117.20.16.0/20 TW;
119.63.128.0/20 TW;
202.163.104.6/32 ARY;
203.124.63.0/24 CM;
221.132.112.0/21 TW;

110.93.192.0/24 TW; is not added now.

On Fri, Jun 20, 2014 at 1:12 AM, Steve W.
[email protected]

looks like i have got the issue. Any requests comes from the ip located
in
geo.conf will be forwarded to a domain whose ip resolve into 110.93.X.X.
Now when a request comes from the ip 110.93.X.X , nginx somehow unable
to
proxy_pass this prefix(110.93.X.X) it to the ip 110.93.X.X and shows the
bad gateway error.

On Fri, Jun 20, 2014 at 9:57 AM, shahzaib shahzaib
[email protected]

Hello!

On Thu, Jun 19, 2014 at 09:12:04PM +0100, Steve W. wrote:

These 2 overlap

110.93.192.0/24 http://110.93.192.0/24 TW;
110.93.192.0/18 http://110.93.192.0/18 TW;

The /24 is within the /18. In this instance you want to remove the /24.

It might be worth investigating if you’ve got any others that overlap. I
think you can probably override with a different country code but using
the same makes no sense.

For nginx, overlapping of CIDR blocks doesn’t matter - it’s
correct and expected use case. It may appear, e.g., if a more
specific block has some additional properties in the original
data, or if some intermediate block was present at some point, but
later was removed.

Warning messages will only appear if exactly the same block is
already present. That is, the following will produce a warning:

127.0.0.0/8   ZZ;
127.0.0.0/8   ZZ;

But this will be fine:

127.0.0.0/8   ZZ;
127.0.0.0/24  ZZ;

Note well that the warning messages are just warning messages.
Configuration is handled fine, duplicate blocks will be simply
ignored. The problem of the original question author is likely
completely unrelated.


Maxim D.
http://nginx.org/