Different Naxsi rulesets
Aziz Rozyev
arozyev at nginx.com
Sun Nov 12 13:34:08 UTC 2017
at least you’re missing or (|) operator between
> TRUSTED_CC_2 and TRUSTED_CC_3
br,
Aziz.
> On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <hemelaar at desikkel.nl> wrote:
>
> Hi!
>
> I'm using Nginx together with Naxsi; so not sure it this is the correct place for this post, but I'll give it a try.
>
> I want to configure two detection thresholds: a strict detection threshold for 'far away countries', and a less-strict set
> for local countries. I'm using a setup like:
>
> location /strict/ {
> include /usr/local/nginx/naxsi.rules.strict;
>
> proxy_pass http://app-server/;
> }
>
> location /not_so_strict/ {
> include /usr/local/nginx/naxsi.rules.not_so_strict;
>
> proxy_pass http://app-server/;
> }
>
> location / {
> # REMOVED BUT THIS WORKS:
> # include /usr/local/nginx/naxsi.rules.not_so_strict;
> set $ruleSet "strict";
> if ( $geoip_country_code ~ (TRUSTED_CC_1|TRUSTED_CC_2TRUSTED_CC_3) ) {
> set $ruleSet "not_so_strict";
> }
>
> rewrite ^(.*)$ /$ruleSet$1 last;
> }
>
> location /RequestDenied {
> return 403;
> }
>
>
> The naxsi.rules.strict file contains the check rules:
> CheckRule "$SQL >= 8" BLOCK;
> etc.
>
> For some reason this doesn't work. The syntax is ok, and I can reload Nginx. However the firewall never triggers. If I uncomment the include in the location-block / it works perfectly.
> Any idea's why this doesn't work, or any better setup to use different rulesets based on some variables?
>
> Thanks,
>
> JP
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
More information about the nginx
mailing list