Forum: NGINX using 2000+ ip prefixes in nginx geo module!

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
13731c628e20ffd83b6114ff2c406272?d=identicon&s=25 shahzaib mushtaq (shahzaib12)
on 2014-06-19 20:59
(Received via mailing list)
We've added 2000+ ip prefixes in a file "geo.conf" included in nginx
vhost
by using ngx-http_geo_module and received the following warning :-

2014/06/19 23:52:46 [warn] 1633#0: duplicate network "103.24.96.0/22",
value: "tw", old value: "tw" in /usr/local/nginx/conf/geo.conf:40
2014/06/19 23:52:46 [warn] 1633#0: duplicate network "103.251.176.0/22",
value: "tw", old value: "tw" in /usr/local/nginx/conf/geo.conf:50
2014/06/19 23:52:46 [warn] 1633#0: duplicate network "202.141.224.0/19",
value: "tw", old value: "tw" in /usr/local/nginx/conf/geo.conf:1312
2014/06/19 23:52:46 [warn] 1633#0: duplicate network "202.142.160.0/19",
value: "tw", old value: "tw" in /usr/local/nginx/conf/geo.conf:1355
2014/06/19 23:52:46 [warn] 1633#0: duplicate network "202.5.136.0/21",
value: "tw", old value: "tw" in /usr/local/nginx/conf/geo.conf:1528

Due to it, nginx showing 504 gateway error for all ips included in
geo.conf
file
34011bc56457235a2caa5ed1d4a29f3c?d=identicon&s=25 Jonathan Matthews (Guest)
on 2014-06-19 21:08
(Received via mailing list)
On 19 June 2014 19:59, shahzaib shahzaib <shahzaib.cb@gmail.com> wrote:
> We've added 2000+ ip prefixes in a file "geo.conf" included in nginx vhost
> by using ngx-http_geo_module and received the following warning :-
>
> 2014/06/19 23:52:46 [warn] 1633#0: duplicate network "103.24.96.0/22",
> value: "tw", old value: "tw" in /usr/local/nginx/conf/geo.conf:40

What makes you think that this error message is incorrect?
If it's correct and you have a duplicate entry, resolving the problem
should be pretty simple ...
13731c628e20ffd83b6114ff2c406272?d=identicon&s=25 shahzaib mushtaq (shahzaib12)
on 2014-06-19 22:07
(Received via mailing list)
For testing purpose, i have added only few prefixes :-

geo {
default 0;
include geo.conf;
}

geo.conf

39.49.59.0/24 PK;
110.93.192.0/24 TW;
110.93.192.0/18 TW;
117.20.16.0/20 TW;
119.63.128.0/20 TW;
202.163.104.6/32 ARY;
203.124.63.0/24 CM;
221.132.112.0/21 TW;


Now, whenever some ip from the list send request, nginx reply with
gateway
timeout :-

curl -I
http://files.com/files/videos/2014/06/10/140239183...
HTTP/1.1 504 Gateway Time-out
Server: nginx
Date: Thu, 19 Jun 2014 19:59:50 GMT
Content-Type: text/html
Content-Length: 176
Connection: keep-alive

In order to resolve this error, i have to manually remove a network from
the file which is 110.93.192.0/18 TW;

What so suspicious with this prefix 110.93.192.0/18 TW ? Why it is
causing
to crash every other requests ?



On Fri, Jun 20, 2014 at 12:07 AM, Jonathan Matthews
<contact@jpluscplusm.com
A22d31b5ab0fc6870e72a12be631e1ef?d=identicon&s=25 Steve Wilson (Guest)
on 2014-06-19 22:12
(Received via mailing list)
These 2 overlap

110.93.192.0/24 <http://110.93.192.0/24> TW;
110.93.192.0/18 <http://110.93.192.0/18> TW;

The /24 is within the /18. In this instance you want to remove the /24.

It might be worth investigating if you've got any others that overlap. I
think you can probably override with a different country code but using
the same makes no sense.

Steve.
13731c628e20ffd83b6114ff2c406272?d=identicon&s=25 shahzaib mushtaq (shahzaib12)
on 2014-06-20 06:56
(Received via mailing list)
I removed /24 on per your suggestion and also used different code for
override but the issue persists. Modified geo.conf :-

39.49.59.0/24 PK;
110.93.192.0/18 US;
117.20.16.0/20 TW;
119.63.128.0/20 TW;
202.163.104.6/32 ARY;
203.124.63.0/24 CM;
221.132.112.0/21 TW;

110.93.192.0/24 TW; is not added now.


On Fri, Jun 20, 2014 at 1:12 AM, Steve Wilson
<lists-nginx@swsystem.co.uk>
13731c628e20ffd83b6114ff2c406272?d=identicon&s=25 shahzaib mushtaq (shahzaib12)
on 2014-06-20 06:57
(Received via mailing list)
Issue will only resolve once i remove 110.93.192.0/18 US; from geo.conf.


On Fri, Jun 20, 2014 at 9:55 AM, shahzaib shahzaib
<shahzaib.cb@gmail.com>
13731c628e20ffd83b6114ff2c406272?d=identicon&s=25 shahzaib mushtaq (shahzaib12)
on 2014-06-20 07:05
(Received via mailing list)
looks like i have got the issue. Any requests comes from the ip located
in
geo.conf will be forwarded to a domain whose ip resolve into 110.93.X.X.
Now when a request comes from the ip 110.93.X.X , nginx somehow unable
to
proxy_pass this prefix(110.93.X.X) it to the ip 110.93.X.X and shows the
bad gateway error.


On Fri, Jun 20, 2014 at 9:57 AM, shahzaib shahzaib
<shahzaib.cb@gmail.com>
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-06-20 16:12
(Received via mailing list)
Hello!

On Thu, Jun 19, 2014 at 09:12:04PM +0100, Steve Wilson wrote:

> These 2 overlap
>
> 110.93.192.0/24 <http://110.93.192.0/24> TW;
> 110.93.192.0/18 <http://110.93.192.0/18> TW;
>
> The /24 is within the /18. In this instance you want to remove the /24.
>
> It might be worth investigating if you've got any others that overlap. I
> think you can probably override with a different country code but using
> the same makes no sense.

For nginx, overlapping of CIDR blocks doesn't matter - it's
correct and expected use case.  It may appear, e.g., if a more
specific block has some additional properties in the original
data, or if some intermediate block was present at some point, but
later was removed.

Warning messages will only appear if exactly the same block is
already present.  That is, the following will produce a warning:

    127.0.0.0/8   ZZ;
    127.0.0.0/8   ZZ;

But this will be fine:

    127.0.0.0/8   ZZ;
    127.0.0.0/24  ZZ;

Note well that the warning messages are just warning messages.
Configuration is handled fine, duplicate blocks will be simply
ignored.  The problem of the original question author is likely
completely unrelated.

--
Maxim Dounin
http://nginx.org/
This topic is locked and can not be replied to.