add directive to set trusted IP in learning mode

[GoogleCodeExporter]

I think it would be better if  naxsi only learn the traffic from "trusted" IPs.

Original issue reported on code.google.com by delta....@gmail.com on 31 Aug 2011 at 11:40

[GoogleCodeExporter]

Hello,

Actually, I don't think putting a naxsi in learning mode, in production on a 
site with a "high" traffic is a good idea because of the overhead of learning 
mode (even I never tried). The learning mode should be done "before".

But, you have various way to do so, mainly relying on nginx's power :

 - Make a netfilter rule that will direct users from specific IP(s) to a different nginx server (within nginx context), where learning mode would be enabled, and disable it for the other servers. (I think that's the most efficient - in terms of performances). For example, set up to identical nginx server directives, one with learning mode, the other one with no learning, on different ports, and redirect trusted IPs to the learning one ?

 - Use nginx's access_module (http://wiki.nginx.org/HttpAccessModule) to limit valid IPs for the naxsi's "learning" location. But doing so, there will still be the "double request" induced by naxsi's learning mode.

 - Use nginx's GeoIP module to redirect the user according to its IP, to a different location (one with learning enabled, another without learning mode)

 - Issue a patch for http_config.py to add an option to filter "by source IP" (as this data is already passed with the request to http_config.py) (But this is quite "inefficient" in terms of performances)

If this is still an issue, I might as well issue a patch to make naxsi support 
"restricted" source IP for learning mode, but I feel like it's rewriting 
something already existent in NGINX.

Thanks, and let me know if it satisfies you !

Original comment by ori...@gmail.com on 31 Aug 2011 at 3:17

[GoogleCodeExporter]

Actually, putting a configuration like the following one for your DeniedUrl 
seems to work well and limit the potential overhead induced by double requests, 
as it will internally stay to nginx :

       location /RequestDenied {
                 allow x.x.x.x;
                 deny all;
                 proxy_pass http://127.0.0.1:4242/;
                 }

Original comment by ori...@gmail.com on 31 Aug 2011 at 5:17

[GoogleCodeExporter]

is this a valid fix for you ?

Original comment by ori...@gmail.com on 23 Sep 2011 at 2:38

• Changed state: Done

[GoogleCodeExporter]

I think add trusted IP can keep naxsi learning "clean" traffic . 

And yes, deploy two nginx instance will fix it, but I think if naxsi support 
trusted IP,
it will  save a lot of time to setup two nginx for many people.

This is what computer is invented for.

Original comment by delta....@gmail.com on 23 Sep 2011 at 4:40

[GoogleCodeExporter]

Hello,

I think you misunderstood my answer.
I was not saying that deploying two nginx is a solution, but that you should 
use the nginx's allow directive in your /RequestDenied location.

In this way, only "trusted" IP will be in learning mode, while others will just 
get your denied page.

Original comment by ori...@gmail.com on 4 Oct 2011 at 8:31