nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Use checkrule after internal rewrite #403

Closed jeanpaul1977 closed 6 years ago

jeanpaul1977 commented 6 years ago

I want to configure two detection thresholds: a strict detection threshold for 'far away countries', and a less-strict set for local countries. I'm using a setup like:

location /strict/ { include /usr/local/nginx/naxsi.rules.strict;

 proxy_pass  http://app-server/;

}

location /not_so_strict/ { include /usr/local/nginx/naxsi.rules.not_so_strict;

 proxy_pass  http://app-server/;

}

location / {

REMOVED BUT THIS WORKS:

 # include /usr/local/nginx/naxsi.rules.not_so_strict;
 set $ruleSet "strict";
 if ( $geoip_country_code ~ (TRUSTED_CC_1|TRUSTED_CC_2TRUSTED_CC_3) ) {
    set $ruleSet "not_so_strict";
 }

 rewrite ^(.*)$ /$ruleSet$1 last;

}

location /RequestDenied { return 403; }

The naxsi.rules.strict file contains the check rules: CheckRule "$SQL >= 8" BLOCK; etc.

For some reason this doesn't work. The syntax is ok, and I can reload Nginx. However the Naxsi never triggers. If I uncomment the include in the location-block / it works perfectly.

Any idea's why this doesn't work, or any better setup to use different rulesets based on some variables?

buixor commented 6 years ago

Hello !

Sorry, the formatting was a bit hard to read so I might have missed some stuff. Naxsi purposely doesn't process requests in sub-requests and your case might end up being one (it lead to many corner-cases at the beginning).

This is something that will change with the next major evolution, but as of now it is a hard limit.

jeanpaul1977 commented 6 years ago

Hi!

Thanks for your input on this issue. I have now implemented a workaround wwith multiple serverblocks to apply the different rulesets. This works as expected.

BR,

JP