Re: Different Naxsi rulesets
Hi, With help from the Naxsi maillist I found that my idea is indeed not possible. Naxsi doesn't process subrequests, so that's why it didn't work as I expected. It seems to be on the roadmap to change this behavior. My workaround for now it to move the two rulesets into different server blocks in Nginx: Serverblock 1 listening on port 8080 makes the decision to send the request to the strict or not-strict Naxsi Serverblock 2 listening on port 8081 applies the strict rules Serverblock 3 listening on port 8082 applies the less-strict rules This works! Thanks for your help, JP On Mon, Nov 13, 2017 at 8:30 PM, Aziz Rozyevwrote: > hello, > > how about logs? does naxisi provide any variables that can be monitored? > > so far it seems that your rules in ‘strict|relaxed’ are not triggering, > the ‘default’ > one will always hit (as expected), as it’s first location ‘/‘ from where > you route to other 2 locations. > > also, try to log in debug mode, may be that will give more insights. > > br, > Aziz. > > > > > > > On 13 Nov 2017, at 21:47, Jean-Paul Hemelaar > wrote: > > > > Hi, > > > > I have updated the config to use 'map' instead of the if-statements. > That's indeed a better way. > > The problem however remains: > > > > - Naxsi mainrules are in the http-block > > - Config similar to: > > > > map $geoip_country_code $ruleSetCC { > > default "strict"; > > CC1 "relaxed"; > > CC2 "relaxed"; > > } > > > > location /strict/ { > >include /usr/local/nginx/naxsi.rules.strict; > > > >proxy_pass http://app-server/; > > } > > > > location /relaxed/ { > >include /usr/local/nginx/naxsi.rules.relaxed; > > > >proxy_pass http://app-server/; > > } > > > > location / { > >include /usr/local/nginx/naxsi.rules.default; > > > >set $ruleSet $ruleSetCC; > >rewrite ^(.*)$ /$ruleSet$1 last; > > } > > > > > > It's always using naxsi.rules.default. If this line is removed it's not > using any rules (pass-all). > > > > Thanks so far! > > > > JP > > > > > > > > > > > > On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev wrote: > > At first glance config looks correct, so probably it’s something with > naxi rulesets. > > Btw, why don’t you use maps? > > > > map $geoip_coutnry_code $strictness { > > default “strict"; > > CC_1“not-so-strict"; > > CC_2“not-so-strict"; > > # .. more country codes; > > } > > > > # strict and not-so-strict locations > > > > map $strictness $path { > >"strict” "/strict/"; > >"not-so-strict” "/not-so-strict/“; > > } > > > > location / { > >return 302 $path; > ># .. > > } > > > > > > br, > > Aziz. > > > > > > > > > > > > > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar > wrote: > > > > > > T THIS WORKS: > > > # include /usr/local/n > > > > ___ > > nginx mailing list > > nginx@nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > ___ > > nginx mailing list > > nginx@nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Different Naxsi rulesets
hello, how about logs? does naxisi provide any variables that can be monitored? so far it seems that your rules in ‘strict|relaxed’ are not triggering, the ‘default’ one will always hit (as expected), as it’s first location ‘/‘ from where you route to other 2 locations. also, try to log in debug mode, may be that will give more insights. br, Aziz. > On 13 Nov 2017, at 21:47, Jean-Paul Hemelaarwrote: > > Hi, > > I have updated the config to use 'map' instead of the if-statements. That's > indeed a better way. > The problem however remains: > > - Naxsi mainrules are in the http-block > - Config similar to: > > map $geoip_country_code $ruleSetCC { > default "strict"; > CC1 "relaxed"; > CC2 "relaxed"; > } > > location /strict/ { >include /usr/local/nginx/naxsi.rules.strict; > >proxy_pass http://app-server/; > } > > location /relaxed/ { >include /usr/local/nginx/naxsi.rules.relaxed; > >proxy_pass http://app-server/; > } > > location / { >include /usr/local/nginx/naxsi.rules.default; > >set $ruleSet $ruleSetCC; >rewrite ^(.*)$ /$ruleSet$1 last; > } > > > It's always using naxsi.rules.default. If this line is removed it's not using > any rules (pass-all). > > Thanks so far! > > JP > > > > > > On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev wrote: > At first glance config looks correct, so probably it’s something with naxi > rulesets. > Btw, why don’t you use maps? > > map $geoip_coutnry_code $strictness { > default “strict"; > CC_1“not-so-strict"; > CC_2“not-so-strict"; > # .. more country codes; > } > > # strict and not-so-strict locations > > map $strictness $path { >"strict” "/strict/"; >"not-so-strict” "/not-so-strict/“; > } > > location / { >return 302 $path; ># .. > } > > > br, > Aziz. > > > > > > > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar wrote: > > > > T THIS WORKS: > > # include /usr/local/n > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Different Naxsi rulesets
Hi, I have updated the config to use 'map' instead of the if-statements. That's indeed a better way. The problem however remains: - Naxsi mainrules are in the http-block - Config similar to: map $geoip_country_code $ruleSetCC { default "strict"; CC1 "relaxed"; CC2 "relaxed"; } location /strict/ { include /usr/local/nginx/naxsi.rules.strict; proxy_pass http://app-server/; } location /relaxed/ { include /usr/local/nginx/naxsi.rules.relaxed; proxy_pass http://app-server/; } location / { include /usr/local/nginx/naxsi.rules.default; set $ruleSet $ruleSetCC; rewrite ^(.*)$ /$ruleSet$1 last; } It's always using naxsi.rules.default. If this line is removed it's not using any rules (pass-all). Thanks so far! JP On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyevwrote: > At first glance config looks correct, so probably it’s something with naxi > rulesets. > Btw, why don’t you use maps? > > map $geoip_coutnry_code $strictness { > default “strict"; > CC_1“not-so-strict"; > CC_2“not-so-strict"; > # .. more country codes; > } > > # strict and not-so-strict locations > > map $strictness $path { >"strict” "/strict/"; >"not-so-strict” "/not-so-strict/“; > } > > location / { >return 302 $path; ># .. > } > > > br, > Aziz. > > > > > > > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar > wrote: > > > > T THIS WORKS: > > # include /usr/local/n > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Different Naxsi rulesets
At first glance config looks correct, so probably it’s something with naxi rulesets. Btw, why don’t you use maps? map $geoip_coutnry_code $strictness { default “strict"; CC_1“not-so-strict"; CC_2“not-so-strict"; # .. more country codes; } # strict and not-so-strict locations map $strictness $path { "strict” "/strict/"; "not-so-strict” "/not-so-strict/“; } location / { return 302 $path; # .. } br, Aziz. > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaarwrote: > > T THIS WORKS: > # include /usr/local/n ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Different Naxsi rulesets
Hi Aziz, True; this got lost during my copy-anonymize-paste process. The real config doesn't have this. Thanks so far, JP On Sun, Nov 12, 2017 at 2:34 PM, Aziz Rozyevwrote: > at least you’re missing or (|) operator between > > > TRUSTED_CC_2 and TRUSTED_CC_3 > > > > br, > Aziz. > > > > > > > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar > wrote: > > > > Hi! > > > > I'm using Nginx together with Naxsi; so not sure it this is the correct > place for this post, but I'll give it a try. > > > > I want to configure two detection thresholds: a strict detection > threshold for 'far away countries', and a less-strict set > > for local countries. I'm using a setup like: > > > > location /strict/ { > > include /usr/local/nginx/naxsi.rules.strict; > > > > proxy_pass http://app-server/; > > } > > > > location /not_so_strict/ { > > include /usr/local/nginx/naxsi.rules.not_so_strict; > > > > proxy_pass http://app-server/; > > } > > > > location / { > > # REMOVED BUT THIS WORKS: > > # include /usr/local/nginx/naxsi.rules.not_so_strict; > > set $ruleSet "strict"; > > if ( $geoip_country_code ~ (TRUSTED_CC_1|TRUSTED_CC_2TRUSTED_CC_3) > ) { > > set $ruleSet "not_so_strict"; > > } > > > > rewrite ^(.*)$ /$ruleSet$1 last; > > } > > > > location /RequestDenied { > > return 403; > > } > > > > > > The naxsi.rules.strict file contains the check rules: > > CheckRule "$SQL >= 8" BLOCK; > > etc. > > > > For some reason this doesn't work. The syntax is ok, and I can reload > Nginx. However the firewall never triggers. If I uncomment the include in > the location-block / it works perfectly. > > Any idea's why this doesn't work, or any better setup to use different > rulesets based on some variables? > > > > Thanks, > > > > JP > > > > > > ___ > > nginx mailing list > > nginx@nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Different Naxsi rulesets
at least you’re missing or (|) operator between > TRUSTED_CC_2 and TRUSTED_CC_3 br, Aziz. > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaarwrote: > > Hi! > > I'm using Nginx together with Naxsi; so not sure it this is the correct place > for this post, but I'll give it a try. > > I want to configure two detection thresholds: a strict detection threshold > for 'far away countries', and a less-strict set > for local countries. I'm using a setup like: > > location /strict/ { > include /usr/local/nginx/naxsi.rules.strict; > > proxy_pass http://app-server/; > } > > location /not_so_strict/ { > include /usr/local/nginx/naxsi.rules.not_so_strict; > > proxy_pass http://app-server/; > } > > location / { > # REMOVED BUT THIS WORKS: > # include /usr/local/nginx/naxsi.rules.not_so_strict; > set $ruleSet "strict"; > if ( $geoip_country_code ~ (TRUSTED_CC_1|TRUSTED_CC_2TRUSTED_CC_3) ) { > set $ruleSet "not_so_strict"; > } > > rewrite ^(.*)$ /$ruleSet$1 last; > } > > location /RequestDenied { > return 403; > } > > > The naxsi.rules.strict file contains the check rules: > CheckRule "$SQL >= 8" BLOCK; > etc. > > For some reason this doesn't work. The syntax is ok, and I can reload Nginx. > However the firewall never triggers. If I uncomment the include in the > location-block / it works perfectly. > Any idea's why this doesn't work, or any better setup to use different > rulesets based on some variables? > > Thanks, > > JP > > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx