Different Naxsi rulesets

Jean-Paul Hemelaar hemelaar at desikkel.nl
Wed Nov 15 18:54:45 UTC 2017


Hi,

With help from the Naxsi maillist I found that my idea is indeed not
possible.
Naxsi doesn't process subrequests, so that's why it didn't work as I
expected.
It seems to be on the roadmap to change this behavior.

My workaround for now it to move the two rulesets into different server
blocks in Nginx:

Serverblock 1 listening on port 8080 makes the decision to send the request
to the strict or not-strict Naxsi
Serverblock 2 listening on port 8081 applies the strict rules
Serverblock 3 listening on port 8082 applies the less-strict rules

This works!

Thanks for your help,

JP



On Mon, Nov 13, 2017 at 8:30 PM, Aziz Rozyev <arozyev at nginx.com> wrote:

> hello,
>
> how about logs? does naxisi provide any variables that can be monitored?
>
> so far it seems that your rules in ‘strict|relaxed’ are not triggering,
> the ‘default’
> one will always hit (as expected), as it’s first location ‘/‘ from where
> you route to other 2 locations.
>
> also, try to log in debug mode, may be that will give more insights.
>
> br,
> Aziz.
>
>
>
>
>
> > On 13 Nov 2017, at 21:47, Jean-Paul Hemelaar <hemelaar at desikkel.nl>
> wrote:
> >
> > Hi,
> >
> > I have updated the config to use 'map' instead of the if-statements.
> That's indeed a better way.
> > The problem however remains:
> >
> > - Naxsi mainrules are in the http-block
> > - Config similar to:
> >
> >     map $geoip_country_code $ruleSetCC {
> >         default "strict";
> >         CC1 "relaxed";
> >         CC2 "relaxed";
> >     }
> >
> >     location /strict/ {
> >        include /usr/local/nginx/naxsi.rules.strict;
> >
> >        proxy_pass  http://app-server/;
> >     }
> >
> >     location /relaxed/ {
> >        include /usr/local/nginx/naxsi.rules.relaxed;
> >
> >        proxy_pass  http://app-server/;
> >     }
> >
> >     location / {
> >        include /usr/local/nginx/naxsi.rules.default;
> >
> >        set $ruleSet $ruleSetCC;
> >        rewrite ^(.*)$ /$ruleSet$1 last;
> >     }
> >
> >
> > It's always using naxsi.rules.default. If this line is removed it's not
> using any rules (pass-all).
> >
> > Thanks so far!
> >
> > JP
> >
> >
> >
> >
> >
> > On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev <arozyev at nginx.com> wrote:
> > At first glance config looks correct, so probably it’s something with
> naxi rulesets.
> > Btw, why don’t you use maps?
> >
> > map $geoip_coutnry_code $strictness {
> >   default “strict";
> >   CC_1    “not-so-strict";
> >   CC_2    “not-so-strict";
> >   # .. more country codes;
> > }
> >
> > # strict and not-so-strict locations
> >
> > map $strictness $path {
> >    "strict”         "/strict/";
> >    "not-so-strict”  "/not-so-strict/“;
> > }
> >
> > location / {
> >    return 302 $path;
> >    # ..
> > }
> >
> >
> > br,
> > Aziz.
> >
> >
> >
> >
> >
> > > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <hemelaar at desikkel.nl>
> wrote:
> > >
> > > T THIS WORKS:
> > >      # include /usr/local/n
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20171115/217f6804/attachment.html>


More information about the nginx mailing list