geo-ip + nginx

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

geo-ip + nginx

Payam Chychi
hey guys,

anyone know the upper limits of number of acl lines for geo-ip /w
nginx? I have a list of 7000 lines and i feel that i might be hitting
a performance wall at 20-30mbps of request (6-9k req/sec)
boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram

Thanks

--
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer

Reply | Threaded
Open this post in threaded view
|

Re: geo-ip + nginx

Igor Sysoev
On Thu, May 28, 2009 at 08:21:16AM -0700, Payam Chychi wrote:

> hey guys,
>
> anyone know the upper limits of number of acl lines for geo-ip /w
> nginx? I have a list of 7000 lines and i feel that i might be hitting
> a performance wall at 20-30mbps of request (6-9k req/sec)
> boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram

If you use geo variables, then there is no limit.
I use about 200,000 addreses.


--
Igor Sysoev
http://sysoev.ru/en/

Reply | Threaded
Open this post in threaded view
|

Re: geo-ip + nginx

Payam Chychi
2009/5/28 Igor Sysoev <[hidden email]>:

> On Thu, May 28, 2009 at 08:21:16AM -0700, Payam Chychi wrote:
>
>> hey guys,
>>
>> anyone know the upper limits of number of acl lines for geo-ip /w
>> nginx? I have a list of 7000 lines and i feel that i might be hitting
>> a performance wall at 20-30mbps of request (6-9k req/sec)
>> boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram
>
> If you use geo variables, then there is no limit.
> I use about 200,000 addreses.
>
>
> --
> Igor Sysoev
> http://sysoev.ru/en/
>
>

I see, so I assume you load the entire 200k list once, then refer back
to it for one/or/more configs? the way i am doing it is I have 1
global list that applies to all configs then I also have a 2nd list
that applies to individual configs0

1st list drops all known back hosts (default = ddos)
2nd list allows connections only from particular sources that match
the list (default = 0)

ever have any issues loading multiple lists in geo with different variables?

ex:
      location / {
               if (  $ddos_ru = ddos ){
                        return 403;
                        break;
                }

               if ( $geo2 = 0 ) {
                        return 403;
                        break;
                }


         proxy_pass              http://LB_HTTP_x.x.x.x;
         proxy_intercept_errors on;
         proxy_cache             one;
         proxy_cache_key         x.x.x.x$request_uri;
         proxy_cache_valid       200  1h;
         proxy_cache_valid       404 5m;
         proxy_cache_use_stale   error timeout invalid_header;
         }


--
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer

Reply | Threaded
Open this post in threaded view
|

Re: geo-ip + nginx

Igor Sysoev
On Thu, May 28, 2009 at 08:46:13AM -0700, Payam Chychi wrote:

> 2009/5/28 Igor Sysoev <[hidden email]>:
> > On Thu, May 28, 2009 at 08:21:16AM -0700, Payam Chychi wrote:
> >
> >> hey guys,
> >>
> >> anyone know the upper limits of number of acl lines for geo-ip /w
> >> nginx? I have a list of 7000 lines and i feel that i might be hitting
> >> a performance wall at 20-30mbps of request (6-9k req/sec)
> >> boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram
> >
> > If you use geo variables, then there is no limit.
> > I use about 200,000 addreses.
> >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> >
>
> I see, so I assume you load the entire 200k list once, then refer back
> to it for one/or/more configs? the way i am doing it is I have 1
> global list that applies to all configs then I also have a 2nd list
> that applies to individual configs0

We use single geo variables for geo targeting, but not for blocking.

> 1st list drops all known back hosts (default = ddos)
> 2nd list allows connections only from particular sources that match
> the list (default = 0)
>
> ever have any issues loading multiple lists in geo with different variables?

No issues.

> ex:
>       location / {
>                if (  $ddos_ru = ddos ){
>                         return 403;
>                         break;
>                 }
>
>                if ( $geo2 = 0 ) {
>                         return 403;
>                         break;
>                 }

These "break"s are useless.

Also I prefer these way:

geo $ddos_ru {
    default  1;
    ...      0;
    ...      0;
    ...      0;
}

geo $geo2 {
    default  1;
    ...      0;
    ...      0;
    ...      0;
}

       if ($ddos_ru) {
           return 403;
       }

       if ($geo2) {
           return 403;
       }

>
>          proxy_pass              http://LB_HTTP_x.x.x.x;
> proxy_intercept_errors on;
> proxy_cache             one;
>          proxy_cache_key         x.x.x.x$request_uri;
>          proxy_cache_valid       200  1h;
> proxy_cache_valid       404 5m;
>          proxy_cache_use_stale   error timeout invalid_header;
>          }
>
>
> --
> Payam Tarverdyan Chychi
> Network Security Specialist / Network Engineer

--
Igor Sysoev
http://sysoev.ru/en/

Reply | Threaded
Open this post in threaded view
|

Re: geo-ip + nginx

Payam Chychi
2009/5/28 Igor Sysoev <[hidden email]>:

> On Thu, May 28, 2009 at 08:46:13AM -0700, Payam Chychi wrote:
>
>> 2009/5/28 Igor Sysoev <[hidden email]>:
>> > On Thu, May 28, 2009 at 08:21:16AM -0700, Payam Chychi wrote:
>> >
>> >> hey guys,
>> >>
>> >> anyone know the upper limits of number of acl lines for geo-ip /w
>> >> nginx? I have a list of 7000 lines and i feel that i might be hitting
>> >> a performance wall at 20-30mbps of request (6-9k req/sec)
>> >> boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram
>> >
>> > If you use geo variables, then there is no limit.
>> > I use about 200,000 addreses.
>> >
>> >
>> > --
>> > Igor Sysoev
>> > http://sysoev.ru/en/
>> >
>> >
>>
>> I see, so I assume you load the entire 200k list once, then refer back
>> to it for one/or/more configs? the way i am doing it is I have 1
>> global list that applies to all configs then I also have a 2nd list
>> that applies to individual configs0
>
> We use single geo variables for geo targeting, but not for blocking.
>
>> 1st list drops all known back hosts (default = ddos)
>> 2nd list allows connections only from particular sources that match
>> the list (default = 0)
>>
>> ever have any issues loading multiple lists in geo with different variables?
>
> No issues.
>
>> ex:
>>       location / {
>>                if (  $ddos_ru = ddos ){
>>                         return 403;
>>                         break;
>>                 }
>>
>>                if ( $geo2 = 0 ) {
>>                         return 403;
>>                         break;
>>                 }
>
> These "break"s are useless.
>
> Also I prefer these way:
>
> geo $ddos_ru {
>    default  1;
>    ...      0;
>    ...      0;
>    ...      0;
> }
>
> geo $geo2 {
>    default  1;
>    ...      0;
>    ...      0;
>    ...      0;
> }
>
>       if ($ddos_ru) {
>           return 403;
>       }
>
>       if ($geo2) {
>           return 403;
>       }
>
>>
>>          proxy_pass              http://LB_HTTP_x.x.x.x;
>>        proxy_intercept_errors on;
>>        proxy_cache             one;
>>          proxy_cache_key         x.x.x.x$request_uri;
>>          proxy_cache_valid       200  1h;
>>        proxy_cache_valid       404 5m;
>>          proxy_cache_use_stale   error timeout invalid_header;
>>          }
>>
>>
>> --
>> Payam Tarverdyan Chychi
>> Network Security Specialist / Network Engineer
>
> --
> Igor Sysoev
> http://sysoev.ru/en/
>
>

Hey Igor,

I can see why... loos good however, i am trying to move towards a
master list (geo2) that has multiple different variables as it is a
ip-->country mapping database so the suggestion wont work... i dont
believe. I am trying to allow a setup where i can say "only allow
connections from CA and EU" type of thing. Here is what i got:

action=deny;

 geo $geo2 {
    default  1;
    ...      CA;
    ...      US;
    ...      EU;

       }

       if ($geo2 = 'CA|EU') {
           set $action "permit";
      }


  if ($action ~* "permit") {
         proxy_pass              http://LB_HTTP_x.x.x.x;
         break;
   }

  if ($action !~ "permit") {
        return 403;
   }

--
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer

Reply | Threaded
Open this post in threaded view
|

Re: geo-ip + nginx

Igor Sysoev
On Fri, May 29, 2009 at 11:16:29AM -0700, Payam Chychi wrote:

> 2009/5/28 Igor Sysoev <[hidden email]>:
> > On Thu, May 28, 2009 at 08:46:13AM -0700, Payam Chychi wrote:
> >
> >> 2009/5/28 Igor Sysoev <[hidden email]>:
> >> > On Thu, May 28, 2009 at 08:21:16AM -0700, Payam Chychi wrote:
> >> >
> >> >> hey guys,
> >> >>
> >> >> anyone know the upper limits of number of acl lines for geo-ip /w
> >> >> nginx? I have a list of 7000 lines and i feel that i might be hitting
> >> >> a performance wall at 20-30mbps of request (6-9k req/sec)
> >> >> boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram
> >> >
> >> > If you use geo variables, then there is no limit.
> >> > I use about 200,000 addreses.
> >> >
> >> >
> >> > --
> >> > Igor Sysoev
> >> > http://sysoev.ru/en/
> >> >
> >> >
> >>
> >> I see, so I assume you load the entire 200k list once, then refer back
> >> to it for one/or/more configs? the way i am doing it is I have 1
> >> global list that applies to all configs then I also have a 2nd list
> >> that applies to individual configs0
> >
> > We use single geo variables for geo targeting, but not for blocking.
> >
> >> 1st list drops all known back hosts (default = ddos)
> >> 2nd list allows connections only from particular sources that match
> >> the list (default = 0)
> >>
> >> ever have any issues loading multiple lists in geo with different variables?
> >
> > No issues.
> >
> >> ex:
> >>       location / {
> >>                if (  $ddos_ru = ddos ){
> >>                         return 403;
> >>                         break;
> >>                 }
> >>
> >>                if ( $geo2 = 0 ) {
> >>                         return 403;
> >>                         break;
> >>                 }
> >
> > These "break"s are useless.
> >
> > Also I prefer these way:
> >
> > geo $ddos_ru {
> >    default  1;
> >    ...      0;
> >    ...      0;
> >    ...      0;
> > }
> >
> > geo $geo2 {
> >    default  1;
> >    ...      0;
> >    ...      0;
> >    ...      0;
> > }
> >
> >       if ($ddos_ru) {
> >           return 403;
> >       }
> >
> >       if ($geo2) {
> >           return 403;
> >       }
> >
> >>
> >>          proxy_pass              http://LB_HTTP_x.x.x.x;
> >>        proxy_intercept_errors on;
> >>        proxy_cache             one;
> >>          proxy_cache_key         x.x.x.x$request_uri;
> >>          proxy_cache_valid       200  1h;
> >>        proxy_cache_valid       404 5m;
> >>          proxy_cache_use_stale   error timeout invalid_header;
> >>          }
> >>
> >>
> >> --
> >> Payam Tarverdyan Chychi
> >> Network Security Specialist / Network Engineer
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> >
>
> Hey Igor,
>
> I can see why... loos good however, i am trying to move towards a
> master list (geo2) that has multiple different variables as it is a
> ip-->country mapping database so the suggestion wont work... i dont
> believe. I am trying to allow a setup where i can say "only allow
> connections from CA and EU" type of thing. Here is what i got:
>
> action=deny;
>
>  geo $geo2 {
>     default  1;
>     ...      CA;
>     ...      US;
>     ...      EU;
>
>        }
>
>        if ($geo2 = 'CA|EU') {
>            set $action "permit";
>       }
>
>
>   if ($action ~* "permit") {
>          proxy_pass              http://LB_HTTP_x.x.x.x;
>          break;
>    }
>
>   if ($action !~ "permit") {
>         return 403;
>    }

No, do not use proxy_pass inside "if" if it's possible to configure
proxy_pass in different way.  The "return" is only directive that
works inside "if" as anyone may expect. Other have hidden agendas.

So

    if ($geo2 !~* "CA|EU") {
         return 403;
    }

    proxy_pass  http://LB_HTTP_x.x.x.x;

However, I prefer to create exact geo map with just two values - 0 and 1.


--
Igor Sysoev
http://sysoev.ru/en/

Reply | Threaded
Open this post in threaded view
|

Re: geo-ip + nginx

Payam Chychi
2009/5/29 Igor Sysoev <[hidden email]>:

> On Fri, May 29, 2009 at 11:16:29AM -0700, Payam Chychi wrote:
>
>> 2009/5/28 Igor Sysoev <[hidden email]>:
>> > On Thu, May 28, 2009 at 08:46:13AM -0700, Payam Chychi wrote:
>> >
>> >> 2009/5/28 Igor Sysoev <[hidden email]>:
>> >> > On Thu, May 28, 2009 at 08:21:16AM -0700, Payam Chychi wrote:
>> >> >
>> >> >> hey guys,
>> >> >>
>> >> >> anyone know the upper limits of number of acl lines for geo-ip /w
>> >> >> nginx? I have a list of 7000 lines and i feel that i might be hitting
>> >> >> a performance wall at 20-30mbps of request (6-9k req/sec)
>> >> >> boxes im using are xeon 2.4ghz+ dual cor/dual proc + 4gig ram
>> >> >
>> >> > If you use geo variables, then there is no limit.
>> >> > I use about 200,000 addreses.
>> >> >
>> >> >
>> >> > --
>> >> > Igor Sysoev
>> >> > http://sysoev.ru/en/
>> >> >
>> >> >
>> >>
>> >> I see, so I assume you load the entire 200k list once, then refer back
>> >> to it for one/or/more configs? the way i am doing it is I have 1
>> >> global list that applies to all configs then I also have a 2nd list
>> >> that applies to individual configs0
>> >
>> > We use single geo variables for geo targeting, but not for blocking.
>> >
>> >> 1st list drops all known back hosts (default = ddos)
>> >> 2nd list allows connections only from particular sources that match
>> >> the list (default = 0)
>> >>
>> >> ever have any issues loading multiple lists in geo with different variables?
>> >
>> > No issues.
>> >
>> >> ex:
>> >>       location / {
>> >>                if (  $ddos_ru = ddos ){
>> >>                         return 403;
>> >>                         break;
>> >>                 }
>> >>
>> >>                if ( $geo2 = 0 ) {
>> >>                         return 403;
>> >>                         break;
>> >>                 }
>> >
>> > These "break"s are useless.
>> >
>> > Also I prefer these way:
>> >
>> > geo $ddos_ru {
>> >    default  1;
>> >    ...      0;
>> >    ...      0;
>> >    ...      0;
>> > }
>> >
>> > geo $geo2 {
>> >    default  1;
>> >    ...      0;
>> >    ...      0;
>> >    ...      0;
>> > }
>> >
>> >       if ($ddos_ru) {
>> >           return 403;
>> >       }
>> >
>> >       if ($geo2) {
>> >           return 403;
>> >       }
>> >
>> >>
>> >>          proxy_pass              http://LB_HTTP_x.x.x.x;
>> >>        proxy_intercept_errors on;
>> >>        proxy_cache             one;
>> >>          proxy_cache_key         x.x.x.x$request_uri;
>> >>          proxy_cache_valid       200  1h;
>> >>        proxy_cache_valid       404 5m;
>> >>          proxy_cache_use_stale   error timeout invalid_header;
>> >>          }
>> >>
>> >>
>> >> --
>> >> Payam Tarverdyan Chychi
>> >> Network Security Specialist / Network Engineer
>> >
>> > --
>> > Igor Sysoev
>> > http://sysoev.ru/en/
>> >
>> >
>>
>> Hey Igor,
>>
>> I can see why... loos good however, i am trying to move towards a
>> master list (geo2) that has multiple different variables as it is a
>> ip-->country mapping database so the suggestion wont work... i dont
>> believe. I am trying to allow a setup where i can say "only allow
>> connections from CA and EU" type of thing. Here is what i got:
>>
>> action=deny;
>>
>>  geo $geo2 {
>>     default  1;
>>     ...      CA;
>>     ...      US;
>>     ...      EU;
>>
>>        }
>>
>>        if ($geo2 = 'CA|EU') {
>>            set $action "permit";
>>       }
>>
>>
>>   if ($action ~* "permit") {
>>          proxy_pass              http://LB_HTTP_x.x.x.x;
>>          break;
>>    }
>>
>>   if ($action !~ "permit") {
>>         return 403;
>>    }
>
> No, do not use proxy_pass inside "if" if it's possible to configure
> proxy_pass in different way.  The "return" is only directive that
> works inside "if" as anyone may expect. Other have hidden agendas.
>
> So
>
>    if ($geo2 !~* "CA|EU") {
>         return 403;
>    }
>
>    proxy_pass  http://LB_HTTP_x.x.x.x;
>
> However, I prefer to create exact geo map with just two values - 0 and 1.
>
>
> --
> Igor Sysoev
> http://sysoev.ru/en/
>
>

i see, ok great advice :)  Thank you

--
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer