Different Naxsi rulesets

Jean-Paul Hemelaar hemelaar at desikkel.nl
Sun Nov 12 11:03:47 UTC 2017


Hi!

I'm using Nginx together with Naxsi; so not sure it this is the correct
place for this post, but I'll give it a try.

I want to configure two detection thresholds: a strict detection threshold
for 'far away countries', and a less-strict set
for local countries. I'm using a setup like:

location /strict/ {
     include /usr/local/nginx/naxsi.rules.strict;

     proxy_pass  http://app-server/;
}

location /not_so_strict/ {
     include /usr/local/nginx/naxsi.rules.not_so_strict;

     proxy_pass  http://app-server/;
}

location / {
     # REMOVED BUT THIS WORKS:
     # include /usr/local/nginx/naxsi.rules.not_so_strict;
     set $ruleSet "strict";
     if ( $geoip_country_code ~ (TRUSTED_CC_1|TRUSTED_CC_2TRUSTED_CC_3) ) {
        set $ruleSet "not_so_strict";
     }

     rewrite ^(.*)$ /$ruleSet$1 last;
}

location /RequestDenied {
    return 403;
}


The naxsi.rules.strict file contains the check rules:
CheckRule "$SQL >= 8" BLOCK;
etc.

For some reason this doesn't work. The syntax is ok, and I can reload
Nginx. However the firewall never triggers. If I uncomment the include in
the location-block / it works perfectly.
Any idea's why this doesn't work, or any better setup to use different
rulesets based on some variables?

Thanks,

JP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20171112/0e8c8a88/attachment.html>


More information about the nginx mailing list