<div dir="ltr">Hi Aziz,<div><br></div><div>True; this got lost during my copy-anonymize-paste process. The real config doesn't have this.</div><div><br></div><div>Thanks so far,</div><div><br></div><div>JP</div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Nov 12, 2017 at 2:34 PM, Aziz Rozyev <span dir="ltr"><<a href="mailto:arozyev@nginx.com" target="_blank">arozyev@nginx.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">at least you’re missing or (|) operator between<br>
<br>
> TRUSTED_CC_2 and TRUSTED_CC_3<br>
<br>
<br>
<br>
br,<br>
Aziz.<br>
<div><div class="h5"><br>
<br>
<br>
<br>
<br>
> On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <<a href="mailto:hemelaar@desikkel.nl">hemelaar@desikkel.nl</a>> wrote:<br>
><br>
> Hi!<br>
><br>
> I'm using Nginx together with Naxsi; so not sure it this is the correct place for this post, but I'll give it a try.<br>
><br>
> I want to configure two detection thresholds: a strict detection threshold for 'far away countries', and a less-strict set<br>
> for local countries. I'm using a setup like:<br>
><br>
> location /strict/ {<br>
> include /usr/local/nginx/naxsi.rules.<wbr>strict;<br>
><br>
> proxy_pass <a href="http://app-server/" rel="noreferrer" target="_blank">http://app-server/</a>;<br>
> }<br>
><br>
> location /not_so_strict/ {<br>
> include /usr/local/nginx/naxsi.rules.<wbr>not_so_strict;<br>
><br>
> proxy_pass <a href="http://app-server/" rel="noreferrer" target="_blank">http://app-server/</a>;<br>
> }<br>
><br>
> location / {<br>
> # REMOVED BUT THIS WORKS:<br>
> # include /usr/local/nginx/naxsi.rules.<wbr>not_so_strict;<br>
> set $ruleSet "strict";<br>
> if ( $geoip_country_code ~ (TRUSTED_CC_1|TRUSTED_CC_<wbr>2TRUSTED_CC_3) ) {<br>
> set $ruleSet "not_so_strict";<br>
> }<br>
><br>
> rewrite ^(.*)$ /$ruleSet$1 last;<br>
> }<br>
><br>
> location /RequestDenied {<br>
> return 403;<br>
> }<br>
><br>
><br>
> The naxsi.rules.strict file contains the check rules:<br>
> CheckRule "$SQL >= 8" BLOCK;<br>
> etc.<br>
><br>
> For some reason this doesn't work. The syntax is ok, and I can reload Nginx. However the firewall never triggers. If I uncomment the include in the location-block / it works perfectly.<br>
> Any idea's why this doesn't work, or any better setup to use different rulesets based on some variables?<br>
><br>
> Thanks,<br>
><br>
> JP<br>
><br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> nginx mailing list<br>
> <a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
> <a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
<br>
______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a></blockquote></div><br></div></div>