Forum

First let me thank you for all your hard work. Hiawatha is great webserver!

I have little question;

What is the best way to block all traffic from china?

My idea is using .hiawatha file (not to make hiawatha.conf file long like monday):

AccessList = deny 58.14.0.0/15, deny 58.16.0.0/13, deny 58.24.0.0/15, ...

list is long so I am wondering how hard on system this would be?


ty for your help,
Igor


Hiawatha version: 6.19
Operating System: ubuntu 8.xx

A .hiawatha file is read and parsed everytime a file from the same directory is requested. So, to lower the load on your webserver, you better place the AccessList in your hiawatha.conf file. That file is parsed only once during startup.

I have know idea what the impact of that list will be on your server. I don't know how long your AccessList will be and what the processing power of your server is. The best way to find out is to try. You can use Apache's ab tool to stress test your server. Try it with the AccessList and without the AccessList.

I'm very curious about the results. So if you have any, please let me know.

You are correct .hiawatha file is not the way to go ...

test:
ab -n 1000 -c 5 http://192.168.1.2/speedtest2/speedtest.html

With .hiawatha file 45k in size:
Concurrency Level: 5
Time taken for tests: 3.790250 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Total transferred: 391000 bytes
HTML transferred: 178000 bytes
Requests per second: 263.83 [#/sec] (mean)
Time per request: 18.951 [ms] (mean)
Time per request: 3.790 [ms] (mean, across all concurrent requests)
Transfer rate: 100.52 [Kbytes/sec] received

Without:
Concurrency Level: 5
Time taken for tests: 0.253278 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Total transferred: 391000 bytes
HTML transferred: 178000 bytes
Requests per second: 3948.23 [#/sec] (mean)
Time per request: 1.266 [ms] (mean)
Time per request: 0.253 [ms] (mean, across all concurrent requests)
Transfer rate: 1504.28 [Kbytes/sec] received


will post data for AccessList inside hiawatha.conf later...

45 kilobytes of AccessList entries.... hmmm.... I think you're going the wrong way. Why do you want to block all China actually?

Why not use iptables directly? When a chinese IP source visit your website you could redirect it to a 404 error page.

IP tables does not allow you to redirect HTTP traffic.

Ty for your help. On net I see two popular ways to block a country. One is with iptables and other with .htaccess file. I can for sure rule out .htaccess .

Why do it? In all my sites I see huge amount of traffic from China... I started new website for US schools and in two months I see raise of China scans and users. They simply do not belong there. Truth I do not want to block everyday China user. I want to stop mass scans and harvesters coming from there. Blocking them all is the last resort...

You better block them via iptables. That's a lot faster than via Hiawatha.

Found this online. Wanted to add it here... Hiawatha sure is great!

Hiawatha.conf ->Stop China search engines: (add more if you have please)

DenyBot = BaiDuSpider:/
DenyBot = Baiduspider+:/
DenyBot = Yandex:/
DenyBot = Sogou web spider:/
DenyBot = Sogou-Test-Spider:/

Sorry for my bad tip. You could drop packects coming from China with a simple iptables rule or you could redirect http traffic from a chinese IP to a secondary web server to show 404 error page.