Closed GoogleCodeExporter closed 8 years ago
Hello,
Actually, I don't think putting a naxsi in learning mode, in production on a
site with a "high" traffic is a good idea because of the overhead of learning
mode (even I never tried). The learning mode should be done "before".
But, you have various way to do so, mainly relying on nginx's power :
- Make a netfilter rule that will direct users from specific IP(s) to a different nginx server (within nginx context), where learning mode would be enabled, and disable it for the other servers. (I think that's the most efficient - in terms of performances). For example, set up to identical nginx server directives, one with learning mode, the other one with no learning, on different ports, and redirect trusted IPs to the learning one ?
- Use nginx's access_module (http://wiki.nginx.org/HttpAccessModule) to limit valid IPs for the naxsi's "learning" location. But doing so, there will still be the "double request" induced by naxsi's learning mode.
- Use nginx's GeoIP module to redirect the user according to its IP, to a different location (one with learning enabled, another without learning mode)
- Issue a patch for http_config.py to add an option to filter "by source IP" (as this data is already passed with the request to http_config.py) (But this is quite "inefficient" in terms of performances)
If this is still an issue, I might as well issue a patch to make naxsi support
"restricted" source IP for learning mode, but I feel like it's rewriting
something already existent in NGINX.
Thanks, and let me know if it satisfies you !
Original comment by ori...@gmail.com
on 31 Aug 2011 at 3:17
Actually, putting a configuration like the following one for your DeniedUrl
seems to work well and limit the potential overhead induced by double requests,
as it will internally stay to nginx :
location /RequestDenied {
allow x.x.x.x;
deny all;
proxy_pass http://127.0.0.1:4242/;
}
Original comment by ori...@gmail.com
on 31 Aug 2011 at 5:17
is this a valid fix for you ?
Original comment by ori...@gmail.com
on 23 Sep 2011 at 2:38
I think add trusted IP can keep naxsi learning "clean" traffic .
And yes, deploy two nginx instance will fix it, but I think if naxsi support
trusted IP,
it will save a lot of time to setup two nginx for many people.
This is what computer is invented for.
Original comment by delta....@gmail.com
on 23 Sep 2011 at 4:40
Hello,
I think you misunderstood my answer.
I was not saying that deploying two nginx is a solution, but that you should
use the nginx's allow directive in your /RequestDenied location.
In this way, only "trusted" IP will be in learning mode, while others will just
get your denied page.
Original comment by ori...@gmail.com
on 4 Oct 2011 at 8:31
Original issue reported on code.google.com by
delta....@gmail.com
on 31 Aug 2011 at 11:40