Welcome! Log In Create A New Profile

Advanced

Re: geo-ip + nginx

May 28, 2009 11:51AM
On Thu, May 28, 2009 at 08:46:13AM -0700, Payam Chychi wrote:

> 2009/5/28 Igor Sysoev <is@rambler-co.ru>:
> > On Thu, May 28, 2009 at 08:21:16AM -0700, Payam Chychi wrote:
> >
> >> hey guys,
> >>
> >> anyone know the upper limits of number of acl lines for geo-ip /w
> >> nginx? I have a list of 7000 lines and i feel that i might be hitting
> >> a performance wall at 20-30mbps of request (6-9k req/sec)
> >> boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram
> >
> > If you use geo variables, then there is no limit.
> > I use about 200,000 addreses.
> >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> >
>
> I see, so I assume you load the entire 200k list once, then refer back
> to it for one/or/more configs? the way i am doing it is I have 1
> global list that applies to all configs then I also have a 2nd list
> that applies to individual configs0

We use single geo variables for geo targeting, but not for blocking.

> 1st list drops all known back hosts (default = ddos)
> 2nd list allows connections only from particular sources that match
> the list (default = 0)
>
> ever have any issues loading multiple lists in geo with different variables?

No issues.

> ex:
> location / {
> if ( $ddos_ru = ddos ){
> return 403;
> break;
> }
>
> if ( $geo2 = 0 ) {
> return 403;
> break;
> }

These "break"s are useless.

Also I prefer these way:

geo $ddos_ru {
default 1;
... 0;
... 0;
... 0;
}

geo $geo2 {
default 1;
... 0;
... 0;
... 0;
}

if ($ddos_ru) {
return 403;
}

if ($geo2) {
return 403;
}

>
> proxy_pass http://LB_HTTP_x.x.x.x;
> proxy_intercept_errors on;
> proxy_cache one;
> proxy_cache_key x.x.x.x$request_uri;
> proxy_cache_valid 200 1h;
> proxy_cache_valid 404 5m;
> proxy_cache_use_stale error timeout invalid_header;
> }
>
>
> --
> Payam Tarverdyan Chychi
> Network Security Specialist / Network Engineer

--
Igor Sysoev
http://sysoev.ru/en/
Subject Author Posted

geo-ip + nginx

Payam Chychi May 28, 2009 11:21AM

Re: geo-ip + nginx

Igor Sysoev May 28, 2009 11:28AM

Re: geo-ip + nginx

Payam Chychi May 28, 2009 11:46AM

Re: geo-ip + nginx

Igor Sysoev May 28, 2009 11:51AM

Re: geo-ip + nginx

Payam Chychi May 29, 2009 02:16PM

Re: geo-ip + nginx

Payam Chychi May 29, 2009 02:55PM

Re: geo-ip + nginx

Igor Sysoev May 29, 2009 02:45PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 154
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready