Hi, With help from the Naxsi maillist I found that my idea is indeed not possible. Naxsi doesn't process subrequests, so that's why it didn't work as I expected. It seems to be on the roadmap to change this behavior.
My workaround for now it to move the two rulesets into different server blocks in Nginx: Serverblock 1 listening on port 8080 makes the decision to send the request to the strict or not-strict Naxsi Serverblock 2 listening on port 8081 applies the strict rules Serverblock 3 listening on port 8082 applies the less-strict rules This works! Thanks for your help, JP On Mon, Nov 13, 2017 at 8:30 PM, Aziz Rozyev <[email protected]> wrote: > hello, > > how about logs? does naxisi provide any variables that can be monitored? > > so far it seems that your rules in ‘strict|relaxed’ are not triggering, > the ‘default’ > one will always hit (as expected), as it’s first location ‘/‘ from where > you route to other 2 locations. > > also, try to log in debug mode, may be that will give more insights. > > br, > Aziz. > > > > > > > On 13 Nov 2017, at 21:47, Jean-Paul Hemelaar <[email protected]> > wrote: > > > > Hi, > > > > I have updated the config to use 'map' instead of the if-statements. > That's indeed a better way. > > The problem however remains: > > > > - Naxsi mainrules are in the http-block > > - Config similar to: > > > > map $geoip_country_code $ruleSetCC { > > default "strict"; > > CC1 "relaxed"; > > CC2 "relaxed"; > > } > > > > location /strict/ { > > include /usr/local/nginx/naxsi.rules.strict; > > > > proxy_pass http://app-server/; > > } > > > > location /relaxed/ { > > include /usr/local/nginx/naxsi.rules.relaxed; > > > > proxy_pass http://app-server/; > > } > > > > location / { > > include /usr/local/nginx/naxsi.rules.default; > > > > set $ruleSet $ruleSetCC; > > rewrite ^(.*)$ /$ruleSet$1 last; > > } > > > > > > It's always using naxsi.rules.default. If this line is removed it's not > using any rules (pass-all). > > > > Thanks so far! > > > > JP > > > > > > > > > > > > On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev <[email protected]> wrote: > > At first glance config looks correct, so probably it’s something with > naxi rulesets. > > Btw, why don’t you use maps? > > > > map $geoip_coutnry_code $strictness { > > default “strict"; > > CC_1 “not-so-strict"; > > CC_2 “not-so-strict"; > > # .. more country codes; > > } > > > > # strict and not-so-strict locations > > > > map $strictness $path { > > "strict” "/strict/"; > > "not-so-strict” "/not-so-strict/“; > > } > > > > location / { > > return 302 $path; > > # .. > > } > > > > > > br, > > Aziz. > > > > > > > > > > > > > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <[email protected]> > wrote: > > > > > > T THIS WORKS: > > > # include /usr/local/n > > > > _______________________________________________ > > nginx mailing list > > [email protected] > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > _______________________________________________ > > nginx mailing list > > [email protected] > > http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
