On Sat, Aug 29, 2009 at 08:27:55PM +0400, Igor Sysoev wrote:

> On Sat, Aug 29, 2009 at 11:41:16AM -0400, Jim Ohlstein wrote:
>
> > We're dealing with a high degree of fraud from certain countries and
> > would like to simply ban all IP's from those countries.
> >
> > I seem to recall reading here that using the Geo module is more
> > efficient for this purpose than the GeoIP module.
> >
> > Currently I have the following in nginx.conf:
> >
> > geo $country {
> > include geo.conf;
> > }
> >
> > where geo.conf is generated from MaxMind country lite csv database using
> > geo2nginx.pl supplied with nginx.
> >
> > In the site config I have multiple if statements like:
> >
> > server {
> > ...
> >
> > if ($country = XX) {
> > return 403;
> > }
> >
> > if ($country = YY) {
> > return 403;
> > }
> >
> > if ($country = ZZ) {
> > return 403;
> > }
> >
> > ...
> >
> > }
> >
> > Is this more efficient than using GeoIP module? Is there a more
> > efficient way of doing this?

> # set forbidden countries to 1, ignore others:
> perl -ne 'print "$1 1\n" if /^(\S+) (US|RU|CN|...);$/' < countries.conf > networks.conf
>
> # aggregate networks:
> ./compress.pl networks.conf > forbidden.conf
>
> Then use it:
>
> geo $forbidden {
> default 0;
> include forbidden.conf;
> }
>
> server {
> if ($forbidden) {
> return 403;
> }

Or if good entries are less than bad ones, you may invert the logic:

# set good countries to 0, ignore others:
perl -ne 'print "$1 0\n" if /^(\S+) (US|RU|CN|...);$/' < countries.conf > networks.conf

geo $forbidden {
default 1;
include good.conf;
}


--
Igor Sysoev
http://sysoev.ru/en/