Apache Friends Support Forum

[Steppke]

Hello friends,

I run a dedicated root server and since I have problems with scrappers. I have now blocked access through many IP ranges from servers/VPS providers via "deny" in my virtual host.

The list is now several hundred lines long and includes not only individual IPs, but also entire IP blocks, sometimes all IPs of an ASN/ISP.

My question is: Does an extensive deny list in the virtual host have a negative impact on Apache/server performance?

Can anyone tell me anything about this?

I thank you in advance.

Many greetings
Steppke

[Nobbie]

Why should it be? Never heard about this and there is actually not the slightest reason (could give us any?).

[Steppke]

As I said, I have now blocked entire ISP from different countries where the scrapers operate their servers/VPS (and keep adding new IPs when I blocked a single IP).

These are massive IP blocks with tens of thousands of IPs (by now).

Doesn't every request (page access) first have to go through the entire deny list (which takes a certain amount of time) before Apache allows the IP to access the page, what would mean a drop in performance?

I don't know, that's why I'm asking here.

[Altrea]

it is almost always more performant to block an ip (even from a hundred of thousant entry block list) than to let these requests be fully processed by Apache (and even worse by PHP and Database).

but of course, if you have the possibility to block those requests earlier by an hardware firewall this is by far more performant than to let them through to Apache.

[Steppke]

Unfortunately I don't have a hardware firewall.

So do you see my approach of blocking the ips(blocks) via the virtual host as ok?

[Altrea]

but you got a root server, so maybe a software firewall would be a better approach (fail2ban, or similar. i don't have any experience with that).

at the end you csnnot fully prevent to.be scrapped. There is no absolute fool proof way to separate a scrape from a valid request.

[Nobbie]

I don't know, that's why I'm asking here.

So do i.

Are you kidding? Do really think, that filtering a simple IP from a list of IPs (does not mind how many) takes any CPU usage? You know, that we are speaking about 8 core CPUs which can render full HD videos in the most sophisticated codec (h265) with approx. 100(!) frames per second? You do not have the slightest idea, how powerfull modern CPUs are running. I dont think it takes more than a millisecond to filter a simple IP (4 Bytes) from whatever list. Thats ridiciolous.

[Steppke]

Is that then also negligible (as far as the performance of the server is concerned) if it has tens of thousands of accesses per day?

That's the big question!

[Nobbie]

Even billions are no problem.

BUT tens of thousands of HTTP Requests (anyway - not because of the IP blockade) may need lots of ressources, as HTTP requests have big I/O amount. Thats another question. But the IP check is nothing, really nothing. You still have no clue, how powerfull a modern CPU is.