Welcome! Log In Create A New Profile

Advanced

Re: [no subject]

Previous Message Next Message
Forum List Message List New Topic Print View
Peter Booth via nginx
April 13, 2019 12:38PM
I don’t think it’s a dumb question at all. It’s a very astute question.

My experience of protecting a high traffic retail website from a foreign state-sponsored DDOS was that doing IP blocking on a hardware load bakancer in front of the nginx tier was the difference between the site bring available and the site being down on an unusually busy day. The economic impact of having both nginx and the load balancer working in concert saved millions of dollars revenue in one busy day. The load balancer (well it was the WAF module in an F5 BigIP) was doing what could have equally been done in a firewall.. With F5’s acquisition of nginx we might see innovative ways of combining the best hardware and software ADC solutions to build rock solid websites.

Anything you can do to protect your backend helps your website stay alive, whether it’s browser caching, CDN, firewall, hardware load balancer, before getting to nginx. Then if nginx has intelligent caching rules you can build a site that sustained enormous bursts of traffic and stays up. Nginx is like a Swiss Army knife of http that can do so many different things - but that doesn’t mean it’s right to expect that it does everything.

Peter

Sent from my iPhone

> On Apr 12, 2019, at 10:57 PM, lists <lists@lazygranch.com> wrote:
>
> Perhaps a dumb question, but if all you are going to do is return a 403, why not just do this filtering in the firewall by blocking the offending IP space. Yeah I know a server should always have some response, but it isn't like you would be the first person to just block entire countries. (I don't do this on 80/443, but I do block most email ports outside the US.)
>
> The only reason I mention this is Nginx blocking is more CPU intensive than the firewall. On a small VPS, you might notice the difference in loadomg.
>
>
> From: softwareinfojam@gmail.com
> Sent: April 12, 2019 7:24 PM
> To: nginx@nginx.org
> Reply-to: nginx@nginx.org
> Subject:
>
> Hi All
> I have implemented GEO IP blocking which is working just fine. I have the settings you see below.
>
> map $geoip_country_code $country_access {
> "US" 0;
> default 1;
> }
>
> server {
> if ($country_access = '1') {
> return 403;
> }
>
> I notice though that in the logs, the internal IP Addresses are not tagged with a country code so internal subnets are getting blocked. Would the correct solution be to enter the subnets manually such as this config below? Or is there a better solution? Oh by the way, I did try this below and it didn’t work. Trying to keep the Geographical blocking but allow some IP ranges. Any ideas on how to do this? Any help would be appreciated.
>
> map $geoip_country_code $country_access {
> "US" 0;
> ‘192.168.1.0/24’ 0;
> default 1;
> }
>
>
> Regards
> SI
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Re: [no subject]

gariac April 12, 2019 11:00PM

RE: [no subject]

Software Info April 13, 2019 08:54AM

Re: [no subject]

Peter Booth via nginx April 13, 2019 12:38PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 154
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready