Different Naxsi rulesets

Aziz Rozyev arozyev at nginx.com
Mon Nov 13 19:30:30 UTC 2017 

hello,

how about logs? does naxisi provide any variables that can be monitored?

so far it seems that your rules in ‘strict|relaxed’ are not triggering, the ‘default’
one will always hit (as expected), as it’s first location ‘/‘ from where you route to other 2 locations.

also, try to log in debug mode, may be that will give more insights.

br,
Aziz.





> On 13 Nov 2017, at 21:47, Jean-Paul Hemelaar <hemelaar at desikkel.nl> wrote:
> 
> Hi,
> 
> I have updated the config to use 'map' instead of the if-statements. That's indeed a better way.
> The problem however remains:
> 
> - Naxsi mainrules are in the http-block
> - Config similar to:
> 
>     map $geoip_country_code $ruleSetCC {
>         default "strict";
>         CC1 "relaxed";
>         CC2 "relaxed";
>     }
> 
>     location /strict/ {
>        include /usr/local/nginx/naxsi.rules.strict;
> 
>        proxy_pass  http://app-server/;
>     }
> 
>     location /relaxed/ {
>        include /usr/local/nginx/naxsi.rules.relaxed;
> 
>        proxy_pass  http://app-server/;
>     }
> 
>     location / {
>        include /usr/local/nginx/naxsi.rules.default;
> 
>        set $ruleSet $ruleSetCC;
>        rewrite ^(.*)$ /$ruleSet$1 last;
>     }
> 
> 
> It's always using naxsi.rules.default. If this line is removed it's not using any rules (pass-all). 
> 
> Thanks so far!
> 
> JP
> 
> 
> 
> 
> 
> On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev <arozyev at nginx.com> wrote:
> At first glance config looks correct, so probably it’s something with naxi rulesets.
> Btw, why don’t you use maps?
> 
> map $geoip_coutnry_code $strictness {
>   default “strict";
>   CC_1    “not-so-strict";
>   CC_2    “not-so-strict";
>   # .. more country codes;
> }
> 
> # strict and not-so-strict locations
> 
> map $strictness $path {
>    "strict”         "/strict/";
>    "not-so-strict”  "/not-so-strict/“;
> }
> 
> location / {
>    return 302 $path;
>    # ..
> }
> 
> 
> br,
> Aziz.
> 
> 
> 
> 
> 
> > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <hemelaar at desikkel.nl> wrote:
> >
> > T THIS WORKS:
> >      # include /usr/local/n
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

More information about the nginx mailing list