Different Naxsi rulesets
Aziz Rozyev
arozyev at nginx.com
Mon Nov 13 19:30:30 UTC 2017
hello,
how about logs? does naxisi provide any variables that can be monitored?
so far it seems that your rules in ‘strict|relaxed’ are not triggering, the ‘default’
one will always hit (as expected), as it’s first location ‘/‘ from where you route to other 2 locations.
also, try to log in debug mode, may be that will give more insights.
br,
Aziz.
> On 13 Nov 2017, at 21:47, Jean-Paul Hemelaar <hemelaar at desikkel.nl> wrote:
>
> Hi,
>
> I have updated the config to use 'map' instead of the if-statements. That's indeed a better way.
> The problem however remains:
>
> - Naxsi mainrules are in the http-block
> - Config similar to:
>
> map $geoip_country_code $ruleSetCC {
> default "strict";
> CC1 "relaxed";
> CC2 "relaxed";
> }
>
> location /strict/ {
> include /usr/local/nginx/naxsi.rules.strict;
>
> proxy_pass http://app-server/;
> }
>
> location /relaxed/ {
> include /usr/local/nginx/naxsi.rules.relaxed;
>
> proxy_pass http://app-server/;
> }
>
> location / {
> include /usr/local/nginx/naxsi.rules.default;
>
> set $ruleSet $ruleSetCC;
> rewrite ^(.*)$ /$ruleSet$1 last;
> }
>
>
> It's always using naxsi.rules.default. If this line is removed it's not using any rules (pass-all).
>
> Thanks so far!
>
> JP
>
>
>
>
>
> On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev <arozyev at nginx.com> wrote:
> At first glance config looks correct, so probably it’s something with naxi rulesets.
> Btw, why don’t you use maps?
>
> map $geoip_coutnry_code $strictness {
> default “strict";
> CC_1 “not-so-strict";
> CC_2 “not-so-strict";
> # .. more country codes;
> }
>
> # strict and not-so-strict locations
>
> map $strictness $path {
> "strict” "/strict/";
> "not-so-strict” "/not-so-strict/“;
> }
>
> location / {
> return 302 $path;
> # ..
> }
>
>
> br,
> Aziz.
>
>
>
>
>
> > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <hemelaar at desikkel.nl> wrote:
> >
> > T THIS WORKS:
> > # include /usr/local/n
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
More information about the nginx
mailing list