Different Naxsi rulesets
Jean-Paul Hemelaar
hemelaar at desikkel.nl
Wed Nov 15 18:54:45 UTC 2017
Hi,
With help from the Naxsi maillist I found that my idea is indeed not
possible.
Naxsi doesn't process subrequests, so that's why it didn't work as I
expected.
It seems to be on the roadmap to change this behavior.
My workaround for now it to move the two rulesets into different server
blocks in Nginx:
Serverblock 1 listening on port 8080 makes the decision to send the request
to the strict or not-strict Naxsi
Serverblock 2 listening on port 8081 applies the strict rules
Serverblock 3 listening on port 8082 applies the less-strict rules
This works!
Thanks for your help,
JP
On Mon, Nov 13, 2017 at 8:30 PM, Aziz Rozyev <arozyev at nginx.com> wrote:
> hello,
>
> how about logs? does naxisi provide any variables that can be monitored?
>
> so far it seems that your rules in ‘strict|relaxed’ are not triggering,
> the ‘default’
> one will always hit (as expected), as it’s first location ‘/‘ from where
> you route to other 2 locations.
>
> also, try to log in debug mode, may be that will give more insights.
>
> br,
> Aziz.
>
>
>
>
>
> > On 13 Nov 2017, at 21:47, Jean-Paul Hemelaar <hemelaar at desikkel.nl>
> wrote:
> >
> > Hi,
> >
> > I have updated the config to use 'map' instead of the if-statements.
> That's indeed a better way.
> > The problem however remains:
> >
> > - Naxsi mainrules are in the http-block
> > - Config similar to:
> >
> > map $geoip_country_code $ruleSetCC {
> > default "strict";
> > CC1 "relaxed";
> > CC2 "relaxed";
> > }
> >
> > location /strict/ {
> > include /usr/local/nginx/naxsi.rules.strict;
> >
> > proxy_pass http://app-server/;
> > }
> >
> > location /relaxed/ {
> > include /usr/local/nginx/naxsi.rules.relaxed;
> >
> > proxy_pass http://app-server/;
> > }
> >
> > location / {
> > include /usr/local/nginx/naxsi.rules.default;
> >
> > set $ruleSet $ruleSetCC;
> > rewrite ^(.*)$ /$ruleSet$1 last;
> > }
> >
> >
> > It's always using naxsi.rules.default. If this line is removed it's not
> using any rules (pass-all).
> >
> > Thanks so far!
> >
> > JP
> >
> >
> >
> >
> >
> > On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev <arozyev at nginx.com> wrote:
> > At first glance config looks correct, so probably it’s something with
> naxi rulesets.
> > Btw, why don’t you use maps?
> >
> > map $geoip_coutnry_code $strictness {
> > default “strict";
> > CC_1 “not-so-strict";
> > CC_2 “not-so-strict";
> > # .. more country codes;
> > }
> >
> > # strict and not-so-strict locations
> >
> > map $strictness $path {
> > "strict” "/strict/";
> > "not-so-strict” "/not-so-strict/“;
> > }
> >
> > location / {
> > return 302 $path;
> > # ..
> > }
> >
> >
> > br,
> > Aziz.
> >
> >
> >
> >
> >
> > > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <hemelaar at desikkel.nl>
> wrote:
> > >
> > > T THIS WORKS:
> > > # include /usr/local/n
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20171115/217f6804/attachment.html>
More information about the nginx
mailing list