Different Naxsi rulesets

Jean-Paul Hemelaar hemelaar at desikkel.nl
Mon Nov 13 18:47:09 UTC 2017


Hi,

I have updated the config to use 'map' instead of the if-statements. That's
indeed a better way.
The problem however remains:

- Naxsi mainrules are in the http-block
- Config similar to:

    map $geoip_country_code $ruleSetCC {
        default "strict";
        CC1 "relaxed";
        CC2 "relaxed";
    }

    location /strict/ {
       include /usr/local/nginx/naxsi.rules.strict;

       proxy_pass  http://app-server/;
    }

    location /relaxed/ {
       include /usr/local/nginx/naxsi.rules.relaxed;

       proxy_pass  http://app-server/;
    }

    location / {
       include /usr/local/nginx/naxsi.rules.default;

       set $ruleSet $ruleSetCC;
       rewrite ^(.*)$ /$ruleSet$1 last;
    }


It's always using naxsi.rules.default. If this line is removed it's not
using any rules (pass-all).

Thanks so far!

JP





On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev <arozyev at nginx.com> wrote:

> At first glance config looks correct, so probably it’s something with naxi
> rulesets.
> Btw, why don’t you use maps?
>
> map $geoip_coutnry_code $strictness {
>   default “strict";
>   CC_1    “not-so-strict";
>   CC_2    “not-so-strict";
>   # .. more country codes;
> }
>
> # strict and not-so-strict locations
>
> map $strictness $path {
>    "strict”         "/strict/";
>    "not-so-strict”  "/not-so-strict/“;
> }
>
> location / {
>    return 302 $path;
>    # ..
> }
>
>
> br,
> Aziz.
>
>
>
>
>
> > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <hemelaar at desikkel.nl>
> wrote:
> >
> > T THIS WORKS:
> >      # include /usr/local/n
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20171113/1d2ede1a/attachment.html>


More information about the nginx mailing list