(no subject)

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

(no subject)

Software Info

Hi All

I have implemented GEO IP blocking which is working just fine. I have the settings you see below.

 

    map $geoip_country_code $country_access {

        "US"    0;

        default 1;

    }

 

    server {

         if ($country_access = '1') {

         return 403;

         }

 

I notice though that in the logs, the internal IP Addresses are not tagged with a country code so internal subnets are getting blocked. Would the correct solution be to enter the subnets manually such as this config below? Or is there a better solution? Oh by the way, I did try this below and it didn’t work. Trying to keep the Geographical blocking but allow some IP ranges. Any ideas on how to do this? Any help would be appreciated.

  

 map $geoip_country_code $country_access {

        "US"    0;

       ‘192.168.1.0/24’ 0;

        default 1;

    }

 

 

Regards

SI

 

 


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: [no subject]

lists@lazygranch.com
Perhaps a dumb question, but if all you are going to do is return a 403, why not just do this filtering in the firewall by blocking the offending IP space. Yeah I know a server should always have some response, but it isn't like you would be the first person to just block entire countries. (I don't do this on 80/443, but I do block most email ports outside the US.) 

The only reason I mention this is Nginx blocking is more CPU intensive than the firewall.  On a small VPS, you might notice the difference in loadomg.


Sent: April 12, 2019 7:24 PM
Reply-to: [hidden email]
Subject:

Hi All

I have implemented GEO IP blocking which is working just fine. I have the settings you see below.

 

    map $geoip_country_code $country_access {

        "US"    0;

        default 1;

    }

 

    server {

         if ($country_access = '1') {

         return 403;

         }

 

I notice though that in the logs, the internal IP Addresses are not tagged with a country code so internal subnets are getting blocked. Would the correct solution be to enter the subnets manually such as this config below? Or is there a better solution? Oh by the way, I did try this below and it didn’t work. Trying to keep the Geographical blocking but allow some IP ranges. Any ideas on how to do this? Any help would be appreciated.

  

 map $geoip_country_code $country_access {

        "US"    0;

       192.168.1.0/24’ 0;

        default 1;

    }

 

 

Regards

SI

 

 


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: [no subject]

Bee.Lists
In reply to this post by Software Info
>
> On Apr 12, 2019, at 10:24 PM, Software Info <[hidden email]> wrote:
>
> Any ideas on how to do this? Any help would be appreciated.


How about a subject?
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

RE: [no subject]

Software Info
In reply to this post by lists@lazygranch.com

Oops, I just noticed I don’t have a Subject. Sorry about that. The firewall that we use is really cumbersome when it comes to geo ip blocking in my opinion so I decided to do it in nginx. I forgot to mention too that when I put the IP address in the server that I don’t want to block I still get the 403. So I can’t seem to find a way to allow the 192.168.1.0/24 network while keeping geo blocking.

 

map $geoip_country_code $country_access {

        "US"    0;

       192.168.1.0/24’ 0;

        default 1;

    }

 

 

Sent from Mail for Windows 10

 

From: [hidden email]
Sent: Friday, April 12, 2019 9:58 PM
To: [hidden email]
Subject: Re: [no subject]

 

Perhaps a dumb question, but if all you are going to do is return a 403, why not just do this filtering in the firewall by blocking the offending IP space. Yeah I know a server should always have some response, but it isn't like you would be the first person to just block entire countries. (I don't do this on 80/443, but I do block most email ports outside the US.) 

 

The only reason I mention this is Nginx blocking is more CPU intensive than the firewall.  On a small VPS, you might notice the difference in loadomg.

 

 

Sent: April 12, 2019 7:24 PM

Reply-to: [hidden email]

Subject:

 

Hi All

I have implemented GEO IP blocking which is working just fine. I have the settings you see below.

 

    map $geoip_country_code $country_access {

        "US"    0;

        default 1;

    }

 

    server {

         if ($country_access = '1') {

         return 403;

         }

 

I notice though that in the logs, the internal IP Addresses are not tagged with a country code so internal subnets are getting blocked. Would the correct solution be to enter the subnets manually such as this config below? Or is there a better solution? Oh by the way, I did try this below and it didn’t work. Trying to keep the Geographical blocking but allow some IP ranges. Any ideas on how to do this? Any help would be appreciated.

  

 map $geoip_country_code $country_access {

        "US"    0;

       192.168.1.0/24’ 0;

        default 1;

    }

 

 

Regards

SI

 

 

 


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: [no subject]

nginx mailing list
In reply to this post by lists@lazygranch.com
I don’t think it’s a dumb question at all. It’s a very astute question.

My experience of protecting a high traffic retail website  from a foreign state-sponsored DDOS was that doing IP blocking on a hardware load bakancer in front of the nginx tier was the difference between the site bring available and the site being down on an unusually busy day. The economic impact of having both nginx and the load balancer working in concert saved millions of dollars revenue in one busy day. The load balancer (well it was the WAF module in an F5 BigIP)  was doing what could have equally been done in a firewall. With F5’s acquisition of nginx we might see innovative ways of combining the best hardware and software ADC solutions to build rock solid websites.

Anything you can do to protect your backend helps your website stay alive, whether it’s browser caching, CDN, firewall, hardware load balancer, before getting to nginx. Then if nginx has intelligent caching rules you can build a site that sustained enormous bursts of traffic and stays up. Nginx is like a Swiss Army knife of http that can do so many different things - but that doesn’t mean it’s right to expect that it does everything.

Peter

Sent from my iPhone

On Apr 12, 2019, at 10:57 PM, lists <[hidden email]> wrote:

Perhaps a dumb question, but if all you are going to do is return a 403, why not just do this filtering in the firewall by blocking the offending IP space. Yeah I know a server should always have some response, but it isn't like you would be the first person to just block entire countries. (I don't do this on 80/443, but I do block most email ports outside the US.) 

The only reason I mention this is Nginx blocking is more CPU intensive than the firewall.  On a small VPS, you might notice the difference in loadomg.


Sent: April 12, 2019 7:24 PM
Reply-to: [hidden email]
Subject:

Hi All

I have implemented GEO IP blocking which is working just fine. I have the settings you see below.

 

    map $geoip_country_code $country_access {

        "US"    0;

        default 1;

    }

 

    server {

         if ($country_access = '1') {

         return 403;

         }

 

I notice though that in the logs, the internal IP Addresses are not tagged with a country code so internal subnets are getting blocked. Would the correct solution be to enter the subnets manually such as this config below? Or is there a better solution? Oh by the way, I did try this below and it didn’t work. Trying to keep the Geographical blocking but allow some IP ranges. Any ideas on how to do this? Any help would be appreciated.

  

 map $geoip_country_code $country_access {

        "US"    0;

       192.168.1.0/24’ 0;

        default 1;

    }

 

 

Regards

SI

 

 

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: [no subject]

lists@lazygranch.com
When I blocked IP space in the past using Nginx, it seemed to parse the request anyway. That is the blocking was very low level. The code from the OP will add to the "regular" 403s, which I create by hot link detection.

I look at the 403s to insure it isn't some other bug (AKA my coding), so the IP space blocking could really increase the error report size. It is a bit off topic, but you really should look at hit linkers to determine if the website is of low reputation (spam or porn). 

Back to the OPs request, unless the OP lives in a data center, the question makes it appear to me like they are using a home server. I did that in the 90s, but the internet is a really nasty place to have your home IP internet facing. These VPSs are really cheap. I doubt I will ever use a hosting company again 

Sent: April 13, 2019 9:36 AM
Reply-to: [hidden email]
Subject: Re: [no subject]

I don’t think it’s a dumb question at all. It’s a very astute question.

My experience of protecting a high traffic retail website  from a foreign state-sponsored DDOS was that doing IP blocking on a hardware load bakancer in front of the nginx tier was the difference between the site bring available and the site being down on an unusually busy day. The economic impact of having both nginx and the load balancer working in concert saved millions of dollars revenue in one busy day. The load balancer (well it was the WAF module in an F5 BigIP)  was doing what could have equally been done in a firewall. With F5’s acquisition of nginx we might see innovative ways of combining the best hardware and software ADC solutions to build rock solid websites.

Anything you can do to protect your backend helps your website stay alive, whether it’s browser caching, CDN, firewall, hardware load balancer, before getting to nginx. Then if nginx has intelligent caching rules you can build a site that sustained enormous bursts of traffic and stays up. Nginx is like a Swiss Army knife of http that can do so many different things - but that doesn’t mean it’s right to expect that it does everything.

Peter

Sent from my iPhone

On Apr 12, 2019, at 10:57 PM, lists <[hidden email]> wrote:

Perhaps a dumb question, but if all you are going to do is return a 403, why not just do this filtering in the firewall by blocking the offending IP space. Yeah I know a server should always have some response, but it isn't like you would be the first person to just block entire countries. (I don't do this on 80/443, but I do block most email ports outside the US.) 

The only reason I mention this is Nginx blocking is more CPU intensive than the firewall.  On a small VPS, you might notice the difference in loadomg.


Sent: April 12, 2019 7:24 PM
Reply-to: [hidden email]
Subject:

Hi All

I have implemented GEO IP blocking which is working just fine. I have the settings you see below.

 

    map $geoip_country_code $country_access {

        "US"    0;

        default 1;

    }

 

    server {

         if ($country_access = '1') {

         return 403;

         }

 

I notice though that in the logs, the internal IP Addresses are not tagged with a country code so internal subnets are getting blocked. Would the correct solution be to enter the subnets manually such as this config below? Or is there a better solution? Oh by the way, I did try this below and it didn’t work. Trying to keep the Geographical blocking but allow some IP ranges. Any ideas on how to do this? Any help would be appreciated.

  

 map $geoip_country_code $country_access {

        "US"    0;

       192.168.1.0/24’ 0;

        default 1;

    }

 

 

Regards

SI

 

 

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: your mail (GEO IP blocking)

Francis Daly
In reply to this post by Software Info
On Fri, Apr 12, 2019 at 09:24:01PM -0500, Software Info wrote:

Hi there,

> I notice though that in the logs, the internal IP Addresses are not
> tagged with a country code so internal subnets are getting blocked. Would
> the correct solution be to enter the subnets manually such as this config
> below? Or is there a better solution?

You use something to set $geoip_country_code, which compares the source
IP address with its database of locations.

You want to allow certain $geoip_country_code values, and also to allow
certain IP addresses.

One possibility:

* can you see the $geoip_country_code that is set for the addresses you
want to allow (probably blank)?
* are you happy to allow every address that gets that same value?

If so, use

  map $geoip_country_code $country_access {
    "US"    0;
    ""      0;
    default 1;
  }


Another possibility:

* change the database that your tool uses, so that the addresses you
care about (192.168.1.0/24, but not 192.168.2.0/24, for example) set
$geoip_country_code to a value such as "LAN" or something else that it
not otherwise used.
* Then - same as above, but allow "LAN" instead of "".

And another way could be to make your own variable, based on a combination
of the things that you care about. Conceptually (but this does not work),
you want

  # Do not use this
  geo $my_country {
    192.168.1.0/24 "LAN";
    default $geoip_country_code;
  }

and then use $my_country to check validity. In practice instead, you
would want something like (untested by me!):

  geo $lan_ip {
    192.168.1.0/24 "LAN";
    default "";
  }
  map $geoip_country_code$lan_ip $country_access {
    "US"    0;
    "LAN"   0;
    default 1;
  }

which does assume that anything that has $lan_ip set, will have
$geoip_country_code blank (or will get the default value). I think that
for your case of private rfc1918 addresses, this is ok. It is not a
general solution. (It could be adapted to become one, if necessary.)


Do be aware that, depending on your config, the thing that sets
$geoip_country_code and the thing that sets $lan_ip may not be reading
from the same value. So you'll probably want to make sure that they do,
for consistency.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx