Closed aipach closed 1 year ago
Hello @aipach ,
If I'm understanding your question 2 correctly, you can supply different configurations for two different nginx server blocks, or two different location blocks.
If you believe that those methods are inadequate for some needs, please fully illustrate how you would like to be using the technique you described in your first point, and why that would be preferable.
@martinhsv For example: server { listen 80; server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
set $sec_path /usr/local/openresty/nginx/conf/rules/modsecurity.conf;
modsecurity on;
modsecurity_rules_file $sec_path ;
location / {
root html;
index index.html index.htm;
}
} error: nginx: [emerg] "modsecurity_rules_file" directive Failed to open the file: $sec_path
Some directives in nginx can take variables, Why is this configuration not allowed?
Hello @aipach ,
I don't believe this is unique to modsecurity_rules_file . My understanding is that within nginx, variables are expected in some places and not in others. I.e. that implementation of variable expansion is for specifically chosen items and not a general rule.
For example, I don't believe you can replace:
client_max_body_size 5M;
with
set $cmb 5M;
client_max_body_size $cmb ;
If there were a compelling use case, what you suggest could be considered as an enhancement. But given that this has not arisen in the 5 years since v3.0.0 was released, I guess I'm assuming that most users find being able to specify paths directly within server or location blocks to be sufficient.
If you like, feel free to illustrate an example where you think variable expansion would be of high value compared to what one can do today.
Hello @martinhsv ,
I know that this configuration will consume a lot of memory.
I just want to change variables for different domain names to implement different rules and reduce the configuration of nginx, or use lua language to directly modify the loaded rules of the memory variable value, reducing the number of nginx reload times, Achieve real-time rule change effect.
Anyway, thanks for your reply, I have been trying to see the source code modification.
1.Why does the modsecurity_rules instruction parameter not support the ngx.var.xxx($xxx) variable? 2.In order to not create a lot of location configuration, how to dynamically implement the rule configuration based on different domain names?