hey guys,
anyone know the upper limits of number of acl lines for geo-ip /w
nginx? I have a list of 7000 lines and i feel that i might be hitting
a performance wall at 20-30mbps of request (6-9k req/sec)
boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram
Thanks
On Thu, May 28, 2009 at 08:21:16AM -0700, Payam C. wrote:
hey guys,
anyone know the upper limits of number of acl lines for geo-ip /w
nginx? I have a list of 7000 lines and i feel that i might be hitting
a performance wall at 20-30mbps of request (6-9k req/sec)
boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram
If you use geo variables, then there is no limit.
I use about 200,000 addreses.
2009/5/28 Igor S. [email protected]:
I use about 200,000 addreses.
–
Igor S.
Igor Sysoev
I see, so I assume you load the entire 200k list once, then refer back
to it for one/or/more configs? the way i am doing it is I have 1
global list that applies to all configs then I also have a 2nd list
that applies to individual configs0
1st list drops all known back hosts (default = ddos)
2nd list allows connections only from particular sources that match
the list (default = 0)
ever have any issues loading multiple lists in geo with different
variables?
ex:
location / {
if ( $ddos_ru = ddos ){
return 403;
break;
}
if ( $geo2 = 0 ) {
return 403;
break;
}
proxy_pass http://LB_HTTP_x.x.x.x;
proxy_intercept_errors on;
proxy_cache one;
proxy_cache_key x.x.x.x$request_uri;
proxy_cache_valid 200 1h;
proxy_cache_valid 404 5m;
proxy_cache_use_stale error timeout invalid_header;
}
On Thu, May 28, 2009 at 08:46:13AM -0700, Payam C. wrote:
If you use geo variables, then there is no limit.
to it for one/or/more configs? the way i am doing it is I have 1
global list that applies to all configs then I also have a 2nd list
that applies to individual configs0
We use single geo variables for geo targeting, but not for blocking.
1st list drops all known back hosts (default = ddos)
2nd list allows connections only from particular sources that match
the list (default = 0)
ever have any issues loading multiple lists in geo with different variables?
No issues.
}
These "break"s are useless.
Also I prefer these way:
geo $ddos_ru {
default 1;
… 0;
… 0;
… 0;
}
geo $geo2 {
default 1;
… 0;
… 0;
… 0;
}
if ($ddos_ru) {
return 403;
}
if ($geo2) {
return 403;
}
2009/5/28 Igor S. [email protected]:
boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram
default 1;
}
proxy_pass http://LB_HTTP_x.x.x.x;
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer
–
Igor S.
Igor Sysoev
Hey Igor,
I can see why… loos good however, i am trying to move towards a
master list (geo2) that has multiple different variables as it is a
ip–>country mapping database so the suggestion wont work… i dont
believe. I am trying to allow a setup where i can say “only allow
connections from CA and EU” type of thing. Here is what i got:
action=deny;
geo $geo2 {
default 1;
… CA;
… US;
… EU;
}
if ($geo2 = 'CA|EU') {
set $action "permit";
}
if ($action ~* “permit”) {
proxy_pass http://LB_HTTP_x.x.x.x;
break;
}
if ($action !~ “permit”) {
return 403;
}
On Fri, May 29, 2009 at 11:16:29AM -0700, Payam C. wrote:
a performance wall at 20-30mbps of request (6-9k req/sec)
the list (default = 0)
š š š š š š š š }
geo $ddos_ru {
š š… š š š0;
–
... CA;
if ($action ~* “permit”) {
proxy_pass http://LB_HTTP_x.x.x.x;
break;
}
if ($action !~ “permit”) {
return 403;
}
No, do not use proxy_pass inside “if” if it’s possible to configure
proxy_pass in different way. The “return” is only directive that
works inside “if” as anyone may expect. Other have hidden agendas.
So
if ($geo2 !~* "CA|EU") {
return 403;
}
proxy_pass http://LB_HTTP_x.x.x.x;
However, I prefer to create exact geo map with just two values - 0 and
1.