Forum: NGINX using 2000+ ip prefixes in nginx geo module!

13731c628e20ffd83b6114ff2c406272?d=identicon&s=25 shahzaib mushtaq (shahzaib12)
on 2014-06-19 20:59
(Received via mailing list)
We've added 2000+ ip prefixes in a file "geo.conf" included in nginx
vhost
by using ngx-http_geo_module and received the following warning :-

2014/06/19 23:52:46 [warn] 1633#0: duplicate network "103.24.96.0/22",
value: "tw", old value: "tw" in /usr/local/nginx/conf/geo.conf:40
2014/06/19 23:52:46 [warn] 1633#0: duplicate network "103.251.176.0/22",
value: "tw", old value: "tw" in /usr/local/nginx/conf/geo.conf:50
2014/06/19 23:52:46 [warn] 1633#0: duplicate network "202.141.224.0/19",
value: "tw", old value: "tw" in /usr/local/nginx/conf/geo.conf:1312
2014/06/19 23:52:46 [warn] 1633#0: duplicate network "202.142.160.0/19",
value: "tw", old value: "tw" in /usr/local/nginx/conf/geo.conf:1355
2014/06/19 23:52:46 [warn] 1633#0: duplicate network "202.5.136.0/21",
value: "tw", old value: "tw" in /usr/local/nginx/conf/geo.conf:1528

Due to it, nginx showing 504 gateway error for all ips included in
geo.conf
file
34011bc56457235a2caa5ed1d4a29f3c?d=identicon&s=25 Jonathan Matthews (Guest)
on 2014-06-19 21:08
(Received via mailing list)
On 19 June 2014 19:59, shahzaib shahzaib <shahzaib.cb@gmail.com> wrote:
> We've added 2000+ ip prefixes in a file "geo.conf" included in nginx vhost
> by using ngx-http_geo_module and received the following warning :-
>
> 2014/06/19 23:52:46 [warn] 1633#0: duplicate network "103.24.96.0/22",
> value: "tw", old value: "tw" in /usr/local/nginx/conf/geo.conf:40

What makes you think that this error message is incorrect?
If it's correct and you have a duplicate entry, resolving the problem
should be pretty simple ...
13731c628e20ffd83b6114ff2c406272?d=identicon&s=25 shahzaib mushtaq (shahzaib12)
on 2014-06-19 22:07
(Received via mailing list)
For testing purpose, i have added only few prefixes :-

geo {
default 0;
include geo.conf;
}

geo.conf

39.49.59.0/24 PK;
110.93.192.0/24 TW;
110.93.192.0/18 TW;
117.20.16.0/20 TW;
119.63.128.0/20 TW;
202.163.104.6/32 ARY;
203.124.63.0/24 CM;
221.132.112.0/21 TW;


Now, whenever some ip from the list send request, nginx reply with
gateway
timeout :-

curl -I
http://files.com/files/videos/2014/06/10/140239183...
HTTP/1.1 504 Gateway Time-out
Server: nginx
Date: Thu, 19 Jun 2014 19:59:50 GMT
Content-Type: text/html
Content-Length: 176
Connection: keep-alive

In order to resolve this error, i have to manually remove a network from
the file which is 110.93.192.0/18 TW;

What so suspicious with this prefix 110.93.192.0/18 TW ? Why it is
causing
to crash every other requests ?



On Fri, Jun 20, 2014 at 12:07 AM, Jonathan Matthews
<contact@jpluscplusm.com
A22d31b5ab0fc6870e72a12be631e1ef?d=identicon&s=25 Steve Wilson (Guest)
on 2014-06-19 22:12
(Received via mailing list)
These 2 overlap

110.93.192.0/24 <http://110.93.192.0/24> TW;
110.93.192.0/18 <http://110.93.192.0/18> TW;

The /24 is within the /18. In this instance you want to remove the /24.

It might be worth investigating if you've got any others that overlap. I
think you can probably override with a different country code but using
the same makes no sense.

Steve.
13731c628e20ffd83b6114ff2c406272?d=identicon&s=25 shahzaib mushtaq (shahzaib12)
on 2014-06-20 06:56
(Received via mailing list)
I removed /24 on per your suggestion and also used different code for
override but the issue persists. Modified geo.conf :-

39.49.59.0/24 PK;
110.93.192.0/18 US;
117.20.16.0/20 TW;
119.63.128.0/20 TW;
202.163.104.6/32 ARY;
203.124.63.0/24 CM;
221.132.112.0/21 TW;

110.93.192.0/24 TW; is not added now.


On Fri, Jun 20, 2014 at 1:12 AM, Steve Wilson
<lists-nginx@swsystem.co.uk>
13731c628e20ffd83b6114ff2c406272?d=identicon&s=25 shahzaib mushtaq (shahzaib12)
on 2014-06-20 06:57
(Received via mailing list)
Issue will only resolve once i remove 110.93.192.0/18 US; from geo.conf.


On Fri, Jun 20, 2014 at 9:55 AM, shahzaib shahzaib
<shahzaib.cb@gmail.com>
13731c628e20ffd83b6114ff2c406272?d=identicon&s=25 shahzaib mushtaq (shahzaib12)
on 2014-06-20 07:05
(Received via mailing list)
looks like i have got the issue. Any requests comes from the ip located
in
geo.conf will be forwarded to a domain whose ip resolve into 110.93.X.X.
Now when a request comes from the ip 110.93.X.X , nginx somehow unable
to
proxy_pass this prefix(110.93.X.X) it to the ip 110.93.X.X and shows the
bad gateway error.


On Fri, Jun 20, 2014 at 9:57 AM, shahzaib shahzaib
<shahzaib.cb@gmail.com>
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-06-20 16:12
(Received via mailing list)
Hello!

On Thu, Jun 19, 2014 at 09:12:04PM +0100, Steve Wilson wrote:

> These 2 overlap
>
> 110.93.192.0/24 <http://110.93.192.0/24> TW;
> 110.93.192.0/18 <http://110.93.192.0/18> TW;
>
> The /24 is within the /18. In this instance you want to remove the /24.
>
> It might be worth investigating if you've got any others that overlap. I
> think you can probably override with a different country code but using
> the same makes no sense.

For nginx, overlapping of CIDR blocks doesn't matter - it's
correct and expected use case.  It may appear, e.g., if a more
specific block has some additional properties in the original
data, or if some intermediate block was present at some point, but
later was removed.

Warning messages will only appear if exactly the same block is
already present.  That is, the following will produce a warning:

    127.0.0.0/8   ZZ;
    127.0.0.0/8   ZZ;

But this will be fine:

    127.0.0.0/8   ZZ;
    127.0.0.0/24  ZZ;

Note well that the warning messages are just warning messages.
Configuration is handled fine, duplicate blocks will be simply
ignored.  The problem of the original question author is likely
completely unrelated.

--
Maxim Dounin
http://nginx.org/
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.