Apache IP Manager and large IP blocks

*Syneryder* · 03-04-2022, 03:57 AM

Short question: Is adding large lists of IP block ranges to the Apache IP Manager a good idea, or will it make my site unbearably slow?

Longer version: in light of recent events, I started implementing a country-level block on countries that were already the biggest spammers/hackers & a high fraud risk anyway. But one of these countries is quite large, about 7000 IP ranges even after consolidating them. I've entered 300 ranges so far into the Apache IP Manager in CNC, and while the site is okay now, it looks like I may have increased my Time To First Byte by an extra 1-2 seconds? Does that sound right? If I've measured correctly and that means 7000 entries is going to blow it out to 40 seconds wait for first access, that's obviously going to be unusable. I'd rather know now before I type in the other 6000 entries

I'm already using GeoIP MaxMind's API to do country-level detection on PHP forms, and that works very well. But a sitewide geo-block would be even better, if there's a way to do it without making things slow for genuine customers.

*Syneryder* · 03-06-2022, 11:21 AM

An update for others who find this thread and were thinking of doing the same thing - I've only just noticed the IP block doesn't apply to HTTPS! It only works for HTTP. While that would stop a lot of the automated comment spam, some of it comes via https now.

I didn't notice much performance slowdown at around 450 IP ranges entered, the first access from an IP felt slow but every request from that IP after the first was quite fast.

*Syneryder* · 03-11-2022, 05:15 AM

One last update, in case it helps others!

I ended up adding everything into a regular www root htaccess file, over 8000 "Deny From" rules of IP address ranges. The website is running super fast and Time To First Byte is tiny. It's blocking a ton of web spam attempts from those countries now.

So don't be afraid of adding large IP block rule lists into htaccess!

kwe · 04-03-2022, 11:44 AM

Good to know—thank you for the follow-up post!

*JohnStrasser* · 07-17-2022, 01:24 AM

I'll add my thanks. I'm in the midst of setting up a block for anything outside the US and so figured I'd use TOR to test it.

Took me an hour to figure out it doesn't work with https, and then I see this

coulda saved myself an hour...sigh...