You could very well do a small ipset together with iptables, it's fast,
and you don't have to reload for every subnet / ip you add.
Doing it within nginx is rather.. Yeah.
--
Best Regards,
Lucas Rolff
Cox, Eric S wrote:
Random, blocks, certain durations, etc. Its very random and or short
lived which is something we don't want to move to the firewall at the
moment
-----Original Message-----
*From:* Jeff Dyke [jeff.d...@gmail.com]
*Received:* Tuesday, 01 Nov 2016, 5:46PM
*To:* nginx@nginx.org [nginx@nginx.org]
*Subject:* Re: Blocking tens of thousands of IP's
what is your firewall?, that is the place to block subnets etc, i
assume they are not random ips, they are likely from a block owned by
someone??
On Tue, Nov 1, 2016 at 5:37 PM, CJ Ess <zxcvbn4...@gmail.com
<mailto:zxcvbn4...@gmail.com>> wrote:
I don't think managing large lists of IPs is nginx's strength - as
far as I can tell all of its ACLs are arrays that have the be
iterated through on each request.
When I do have to manage IP lists in Nginx I try to compress the
lists into the most compact CIDR representation so there is less
to search. Here is a perl snippet I use to do that (handles ipv4
and ipv6):
#!/usr/bin/perl
use NetAddr::IP;
my @addresses;
foreach my $subnet (split(/\s+/, $list_of_ips)) {
push(@addresses, NetAddr::IP->new($subnet));
}
foreach my $cidr (NetAddr::IP::compact(@addresses)) {
if ($cidr->version == 4) {
print $cidr . "\n";
} else {
print $cidr->short() . "/" . $cidr->masklen() . "\n";
}
On Tue, Nov 1, 2016 at 11:15 AM, Cox, Eric S <eric....@kroger.com
<mailto:eric....@kroger.com>> wrote:
Is anyone aware of a difference performance wise between using
return 403;
vs
deny all;
When mapping against a list of tens of thousands of ip?
Thanks
------------------------------------------------------------------------
This e-mail message, including any attachments, is for the
sole use of the intended recipient(s) and may contain
information that is confidential and protected by law from
unauthorized disclosure. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message.
_______________________________________________
nginx mailing list
nginx@nginx.org <mailto:nginx@nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx
<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=CwMFaQ&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=cjLNEY1x_976qWvGzhCEhvWYUU4DOBVUcO97nnDYX7o&s=GwNGeoaXa46JaCsfrdl3VQZpyNHqSzWwlLq3a0UNV2I&e=>
_______________________________________________
nginx mailing list
nginx@nginx.org <mailto:nginx@nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx
<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=CwMFaQ&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=cjLNEY1x_976qWvGzhCEhvWYUU4DOBVUcO97nnDYX7o&s=GwNGeoaXa46JaCsfrdl3VQZpyNHqSzWwlLq3a0UNV2I&e=>
------------------------------------------------------------------------
This e-mail message, including any attachments, is for the sole use of
the intended recipient(s) and may contain information that is
confidential and protected by law from unauthorized disclosure. Any
unauthorized review, use, disclosure or distribution is prohibited. If
you are not the intended recipient, please contact the sender by reply
e-mail and destroy all copies of the original message.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
