You could very well do a small ipset together with iptables, it's fast,
and you don't have to reload for every subnet / ip you add.
Doing it within nginx is rather.. Yeah.
--
Best Regards,
Lucas Rolff
Cox, Eric S wrote:
> Random, blocks, certain durations, etc. Its very random and or short
> lived which is something we don't want to move to the firewall at the
> moment
>
> -----Original Message-----
> *From:* Jeff Dyke [jeff.dyke@gmail.com]
> *Received:* Tuesday, 01 Nov 2016, 5:46PM
> *To:* nginx@nginx.org [nginx@nginx.org]
> *Subject:* Re: Blocking tens of thousands of IP's
>
> what is your firewall?, that is the place to block subnets etc, i
> assume they are not random ips, they are likely from a block owned by
> someone??
>
> On Tue, Nov 1, 2016 at 5:37 PM, CJ Ess <zxcvbn4038@gmail.com
> <mailto:zxcvbn4038@gmail.com>> wrote:
>
> I don't think managing large lists of IPs is nginx's strength - as
> far as I can tell all of its ACLs are arrays that have the be
> iterated through on each request.
>
> When I do have to manage IP lists in Nginx I try to compress the
> lists into the most compact CIDR representation so there is less
> to search. Here is a perl snippet I use to do that (handles ipv4
> and ipv6):
>
> #!/usr/bin/perl
>
> use NetAddr::IP;
>
> my @addresses;
>
> foreach my $subnet (split(/\s+/, $list_of_ips)) {
> push(@addresses, NetAddr::IP->new($subnet));
> }
>
> foreach my $cidr (NetAddr::IP::compact(@addresses)) {
> if ($cidr->version == 4) {
> print $cidr . "\n";
> } else {
> print $cidr->short() . "/" . $cidr->masklen() . "\n";
> }
>
>
> On Tue, Nov 1, 2016 at 11:15 AM, Cox, Eric S <eric.cox@kroger.com
> <mailto:eric.cox@kroger.com>> wrote:
>
> Is anyone aware of a difference performance wise between using
>
> return 403;
>
> vs
>
> deny all;
>
> When mapping against a list of tens of thousands of ip?
>
> Thanks
>
>
> ------------------------------------------------------------------------
>
> This e-mail message, including any attachments, is for the
> sole use of the intended recipient(s) and may contain
> information that is confidential and protected by law from
> unauthorized disclosure. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the
> intended recipient, please contact the sender by reply e-mail
> and destroy all copies of the original message.
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:nginx@nginx.org>
> http://mailman.nginx.org/mailman/listinfo/nginx
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=CwMFaQ&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=cjLNEY1x_976qWvGzhCEhvWYUU4DOBVUcO97nnDYX7o&s=GwNGeoaXa46JaCsfrdl3VQZpyNHqSzWwlLq3a0UNV2I&e=
>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:nginx@nginx.org>
> http://mailman.nginx.org/mailman/listinfo/nginx
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=CwMFaQ&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=cjLNEY1x_976qWvGzhCEhvWYUU4DOBVUcO97nnDYX7o&s=GwNGeoaXa46JaCsfrdl3VQZpyNHqSzWwlLq3a0UNV2I&e=
>
>
>
> ------------------------------------------------------------------------
>
> This e-mail message, including any attachments, is for the sole use of
> the intended recipient(s) and may contain information that is
> confidential and protected by law from unauthorized disclosure. Any
> unauthorized review, use, disclosure or distribution is prohibited. If
> you are not the intended recipient, please contact the sender by reply
> e-mail and destroy all copies of the original message.
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
