Re: Different Naxsi rulesets

2017-11-15 Thread Jean-Paul Hemelaar 
Hi,

With help from the Naxsi maillist I found that my idea is indeed not
possible.
Naxsi doesn't process subrequests, so that's why it didn't work as I
expected.
It seems to be on the roadmap to change this behavior.

My workaround for now it to move the two rulesets into different server
blocks in Nginx:

Serverblock 1 listening on port 8080 makes the decision to send the request
to the strict or not-strict Naxsi
Serverblock 2 listening on port 8081 applies the strict rules
Serverblock 3 listening on port 8082 applies the less-strict rules

This works!

Thanks for your help,

JP



On Mon, Nov 13, 2017 at 8:30 PM, Aziz Rozyev  wrote:

> hello,
>
> how about logs? does naxisi provide any variables that can be monitored?
>
> so far it seems that your rules in ‘strict|relaxed’ are not triggering,
> the ‘default’
> one will always hit (as expected), as it’s first location ‘/‘ from where
> you route to other 2 locations.
>
> also, try to log in debug mode, may be that will give more insights.
>
> br,
> Aziz.
>
>
>
>
>
> > On 13 Nov 2017, at 21:47, Jean-Paul Hemelaar 
> wrote:
> >
> > Hi,
> >
> > I have updated the config to use 'map' instead of the if-statements.
> That's indeed a better way.
> > The problem however remains:
> >
> > - Naxsi mainrules are in the http-block
> > - Config similar to:
> >
> > map $geoip_country_code $ruleSetCC {
> > default "strict";
> > CC1 "relaxed";
> > CC2 "relaxed";
> > }
> >
> > location /strict/ {
> >include /usr/local/nginx/naxsi.rules.strict;
> >
> >proxy_pass  http://app-server/;
> > }
> >
> > location /relaxed/ {
> >include /usr/local/nginx/naxsi.rules.relaxed;
> >
> >proxy_pass  http://app-server/;
> > }
> >
> > location / {
> >include /usr/local/nginx/naxsi.rules.default;
> >
> >set $ruleSet $ruleSetCC;
> >rewrite ^(.*)$ /$ruleSet$1 last;
> > }
> >
> >
> > It's always using naxsi.rules.default. If this line is removed it's not
> using any rules (pass-all).
> >
> > Thanks so far!
> >
> > JP
> >
> >
> >
> >
> >
> > On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev  wrote:
> > At first glance config looks correct, so probably it’s something with
> naxi rulesets.
> > Btw, why don’t you use maps?
> >
> > map $geoip_coutnry_code $strictness {
> >   default “strict";
> >   CC_1“not-so-strict";
> >   CC_2“not-so-strict";
> >   # .. more country codes;
> > }
> >
> > # strict and not-so-strict locations
> >
> > map $strictness $path {
> >"strict” "/strict/";
> >"not-so-strict”  "/not-so-strict/“;
> > }
> >
> > location / {
> >return 302 $path;
> ># ..
> > }
> >
> >
> > br,
> > Aziz.
> >
> >
> >
> >
> >
> > > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar 
> wrote:
> > >
> > > T THIS WORKS:
> > >  # include /usr/local/n
> >
> > ___
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> > ___
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Different Naxsi rulesets

2017-11-13 Thread Aziz Rozyev 
hello,

how about logs? does naxisi provide any variables that can be monitored?

so far it seems that your rules in ‘strict|relaxed’ are not triggering, the 
‘default’
one will always hit (as expected), as it’s first location ‘/‘ from where you 
route to other 2 locations.

also, try to log in debug mode, may be that will give more insights.

br,
Aziz.





> On 13 Nov 2017, at 21:47, Jean-Paul Hemelaar  wrote:
> 
> Hi,
> 
> I have updated the config to use 'map' instead of the if-statements. That's 
> indeed a better way.
> The problem however remains:
> 
> - Naxsi mainrules are in the http-block
> - Config similar to:
> 
> map $geoip_country_code $ruleSetCC {
> default "strict";
> CC1 "relaxed";
> CC2 "relaxed";
> }
> 
> location /strict/ {
>include /usr/local/nginx/naxsi.rules.strict;
> 
>proxy_pass  http://app-server/;
> }
> 
> location /relaxed/ {
>include /usr/local/nginx/naxsi.rules.relaxed;
> 
>proxy_pass  http://app-server/;
> }
> 
> location / {
>include /usr/local/nginx/naxsi.rules.default;
> 
>set $ruleSet $ruleSetCC;
>rewrite ^(.*)$ /$ruleSet$1 last;
> }
> 
> 
> It's always using naxsi.rules.default. If this line is removed it's not using 
> any rules (pass-all). 
> 
> Thanks so far!
> 
> JP
> 
> 
> 
> 
> 
> On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev  wrote:
> At first glance config looks correct, so probably it’s something with naxi 
> rulesets.
> Btw, why don’t you use maps?
> 
> map $geoip_coutnry_code $strictness {
>   default “strict";
>   CC_1“not-so-strict";
>   CC_2“not-so-strict";
>   # .. more country codes;
> }
> 
> # strict and not-so-strict locations
> 
> map $strictness $path {
>"strict” "/strict/";
>"not-so-strict”  "/not-so-strict/“;
> }
> 
> location / {
>return 302 $path;
># ..
> }
> 
> 
> br,
> Aziz.
> 
> 
> 
> 
> 
> > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar  wrote:
> >
> > T THIS WORKS:
> >  # include /usr/local/n
> 
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Different Naxsi rulesets

2017-11-13 Thread Jean-Paul Hemelaar 
Hi,

I have updated the config to use 'map' instead of the if-statements. That's
indeed a better way.
The problem however remains:

- Naxsi mainrules are in the http-block
- Config similar to:

map $geoip_country_code $ruleSetCC {
default "strict";
CC1 "relaxed";
CC2 "relaxed";
}

location /strict/ {
   include /usr/local/nginx/naxsi.rules.strict;

   proxy_pass  http://app-server/;
}

location /relaxed/ {
   include /usr/local/nginx/naxsi.rules.relaxed;

   proxy_pass  http://app-server/;
}

location / {
   include /usr/local/nginx/naxsi.rules.default;

   set $ruleSet $ruleSetCC;
   rewrite ^(.*)$ /$ruleSet$1 last;
}


It's always using naxsi.rules.default. If this line is removed it's not
using any rules (pass-all).

Thanks so far!

JP





On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev  wrote:

> At first glance config looks correct, so probably it’s something with naxi
> rulesets.
> Btw, why don’t you use maps?
>
> map $geoip_coutnry_code $strictness {
>   default “strict";
>   CC_1“not-so-strict";
>   CC_2“not-so-strict";
>   # .. more country codes;
> }
>
> # strict and not-so-strict locations
>
> map $strictness $path {
>"strict” "/strict/";
>"not-so-strict”  "/not-so-strict/“;
> }
>
> location / {
>return 302 $path;
># ..
> }
>
>
> br,
> Aziz.
>
>
>
>
>
> > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar 
> wrote:
> >
> > T THIS WORKS:
> >  # include /usr/local/n
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Different Naxsi rulesets

2017-11-13 Thread Aziz Rozyev 
At first glance config looks correct, so probably it’s something with naxi 
rulesets.
Btw, why don’t you use maps? 

map $geoip_coutnry_code $strictness {
  default “strict";
  CC_1“not-so-strict";
  CC_2“not-so-strict";
  # .. more country codes;
}

# strict and not-so-strict locations

map $strictness $path {
   "strict” "/strict/";
   "not-so-strict”  "/not-so-strict/“;
}

location / {
   return 302 $path;
   # .. 
}
 

br,
Aziz.





> On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar  wrote:
> 
> T THIS WORKS:
>  # include /usr/local/n

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Different Naxsi rulesets

2017-11-12 Thread Jean-Paul Hemelaar 
Hi Aziz,

True; this got lost during my copy-anonymize-paste process. The real config
doesn't have this.

Thanks so far,

JP

On Sun, Nov 12, 2017 at 2:34 PM, Aziz Rozyev  wrote:

> at least you’re missing or (|) operator between
>
> > TRUSTED_CC_2  and TRUSTED_CC_3
>
>
>
> br,
> Aziz.
>
>
>
>
>
> > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar 
> wrote:
> >
> > Hi!
> >
> > I'm using Nginx together with Naxsi; so not sure it this is the correct
> place for this post, but I'll give it a try.
> >
> > I want to configure two detection thresholds: a strict detection
> threshold for 'far away countries', and a less-strict set
> > for local countries. I'm using a setup like:
> >
> > location /strict/ {
> >  include /usr/local/nginx/naxsi.rules.strict;
> >
> >  proxy_pass  http://app-server/;
> > }
> >
> > location /not_so_strict/ {
> >  include /usr/local/nginx/naxsi.rules.not_so_strict;
> >
> >  proxy_pass  http://app-server/;
> > }
> >
> > location / {
> >  # REMOVED BUT THIS WORKS:
> >  # include /usr/local/nginx/naxsi.rules.not_so_strict;
> >  set $ruleSet "strict";
> >  if ( $geoip_country_code ~ (TRUSTED_CC_1|TRUSTED_CC_2TRUSTED_CC_3)
> ) {
> > set $ruleSet "not_so_strict";
> >  }
> >
> >  rewrite ^(.*)$ /$ruleSet$1 last;
> > }
> >
> > location /RequestDenied {
> > return 403;
> > }
> >
> >
> > The naxsi.rules.strict file contains the check rules:
> > CheckRule "$SQL >= 8" BLOCK;
> > etc.
> >
> > For some reason this doesn't work. The syntax is ok, and I can reload
> Nginx. However the firewall never triggers. If I uncomment the include in
> the location-block / it works perfectly.
> > Any idea's why this doesn't work, or any better setup to use different
> rulesets based on some variables?
> >
> > Thanks,
> >
> > JP
> >
> >
> > ___
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Different Naxsi rulesets

2017-11-12 Thread Aziz Rozyev 
at least you’re missing or (|) operator between 

> TRUSTED_CC_2  and TRUSTED_CC_3



br,
Aziz.





> On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar  wrote:
> 
> Hi!
> 
> I'm using Nginx together with Naxsi; so not sure it this is the correct place 
> for this post, but I'll give it a try.
> 
> I want to configure two detection thresholds: a strict detection threshold 
> for 'far away countries', and a less-strict set
> for local countries. I'm using a setup like:
> 
> location /strict/ {
>  include /usr/local/nginx/naxsi.rules.strict;
> 
>  proxy_pass  http://app-server/;
> }
> 
> location /not_so_strict/ {
>  include /usr/local/nginx/naxsi.rules.not_so_strict;
> 
>  proxy_pass  http://app-server/;
> }
> 
> location / {
>  # REMOVED BUT THIS WORKS:
>  # include /usr/local/nginx/naxsi.rules.not_so_strict;
>  set $ruleSet "strict";
>  if ( $geoip_country_code ~ (TRUSTED_CC_1|TRUSTED_CC_2TRUSTED_CC_3) ) {
> set $ruleSet "not_so_strict";
>  }
> 
>  rewrite ^(.*)$ /$ruleSet$1 last;
> }
> 
> location /RequestDenied {
> return 403;
> }
> 
> 
> The naxsi.rules.strict file contains the check rules:
> CheckRule "$SQL >= 8" BLOCK;
> etc.
> 
> For some reason this doesn't work. The syntax is ok, and I can reload Nginx. 
> However the firewall never triggers. If I uncomment the include in the 
> location-block / it works perfectly.
> Any idea's why this doesn't work, or any better setup to use different 
> rulesets based on some variables?
> 
> Thanks,
> 
> JP
> 
> 
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx