Jean-Paul Hemelaar
Different Naxsi rulesets
November 12, 2017 12:10PM
Hi!

I'm using Nginx together with Naxsi; so not sure it this is the correct
place for this post, but I'll give it a try.

I want to configure two detection thresholds: a strict detection threshold
for 'far away countries', and a less-strict set
for local countries. I'm using a setup like:

location /strict/ {
include /usr/local/nginx/naxsi.rules.strict;

proxy_pass http://app-server/;
}

location /not_so_strict/ {
include /usr/local/nginx/naxsi.rules.not_so_strict;

proxy_pass http://app-server/;
}

location / {
# REMOVED BUT THIS WORKS:
# include /usr/local/nginx/naxsi.rules.not_so_strict;
set $ruleSet "strict";
if ( $geoip_country_code ~ (TRUSTED_CC_1|TRUSTED_CC_2TRUSTED_CC_3) ) {
set $ruleSet "not_so_strict";
}

rewrite ^(.*)$ /$ruleSet$1 last;
}

location /RequestDenied {
return 403;
}


The naxsi.rules.strict file contains the check rules:
CheckRule "$SQL >= 8" BLOCK;
etc.

For some reason this doesn't work. The syntax is ok, and I can reload
Nginx. However the firewall never triggers. If I uncomment the include in
the location-block / it works perfectly.
Any idea's why this doesn't work, or any better setup to use different
rulesets based on some variables?

Thanks,

JP
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Aziz Rozyev
Re: Different Naxsi rulesets
November 12, 2017 02:40PM
at least you’re missing or (|) operator between

> TRUSTED_CC_2 and TRUSTED_CC_3



br,
Aziz.





> On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <[email protected]> wrote:
>
> Hi!
>
> I'm using Nginx together with Naxsi; so not sure it this is the correct place for this post, but I'll give it a try.
>
> I want to configure two detection thresholds: a strict detection threshold for 'far away countries', and a less-strict set
> for local countries. I'm using a setup like:
>
> location /strict/ {
> include /usr/local/nginx/naxsi.rules.strict;
>
> proxy_pass http://app-server/;
> }
>
> location /not_so_strict/ {
> include /usr/local/nginx/naxsi.rules.not_so_strict;
>
> proxy_pass http://app-server/;
> }
>
> location / {
> # REMOVED BUT THIS WORKS:
> # include /usr/local/nginx/naxsi.rules.not_so_strict;
> set $ruleSet "strict";
> if ( $geoip_country_code ~ (TRUSTED_CC_1|TRUSTED_CC_2TRUSTED_CC_3) ) {
> set $ruleSet "not_so_strict";
> }
>
> rewrite ^(.*)$ /$ruleSet$1 last;
> }
>
> location /RequestDenied {
> return 403;
> }
>
>
> The naxsi.rules.strict file contains the check rules:
> CheckRule "$SQL >= 8" BLOCK;
> etc.
>
> For some reason this doesn't work. The syntax is ok, and I can reload Nginx. However the firewall never triggers. If I uncomment the include in the location-block / it works perfectly.
> Any idea's why this doesn't work, or any better setup to use different rulesets based on some variables?
>
> Thanks,
>
> JP
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Jean-Paul Hemelaar
Re: Different Naxsi rulesets
November 12, 2017 03:20PM
Hi Aziz,

True; this got lost during my copy-anonymize-paste process. The real config
doesn't have this.

Thanks so far,

JP

On Sun, Nov 12, 2017 at 2:34 PM, Aziz Rozyev <[email protected]> wrote:

> at least you’re missing or (|) operator between
>
> > TRUSTED_CC_2 and TRUSTED_CC_3
>
>
>
> br,
> Aziz.
>
>
>
>
>
> > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <[email protected]>
> wrote:
> >
> > Hi!
> >
> > I'm using Nginx together with Naxsi; so not sure it this is the correct
> place for this post, but I'll give it a try.
> >
> > I want to configure two detection thresholds: a strict detection
> threshold for 'far away countries', and a less-strict set
> > for local countries. I'm using a setup like:
> >
> > location /strict/ {
> > include /usr/local/nginx/naxsi.rules.strict;
> >
> > proxy_pass http://app-server/;
> > }
> >
> > location /not_so_strict/ {
> > include /usr/local/nginx/naxsi.rules.not_so_strict;
> >
> > proxy_pass http://app-server/;
> > }
> >
> > location / {
> > # REMOVED BUT THIS WORKS:
> > # include /usr/local/nginx/naxsi.rules.not_so_strict;
> > set $ruleSet "strict";
> > if ( $geoip_country_code ~ (TRUSTED_CC_1|TRUSTED_CC_2TRUSTED_CC_3)
> ) {
> > set $ruleSet "not_so_strict";
> > }
> >
> > rewrite ^(.*)$ /$ruleSet$1 last;
> > }
> >
> > location /RequestDenied {
> > return 403;
> > }
> >
> >
> > The naxsi.rules.strict file contains the check rules:
> > CheckRule "$SQL >= 8" BLOCK;
> > etc.
> >
> > For some reason this doesn't work. The syntax is ok, and I can reload
> Nginx. However the firewall never triggers. If I uncomment the include in
> the location-block / it works perfectly.
> > Any idea's why this doesn't work, or any better setup to use different
> rulesets based on some variables?
> >
> > Thanks,
> >
> > JP
> >
> >
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Aziz Rozyev
Re: Different Naxsi rulesets
November 13, 2017 02:20PM
At first glance config looks correct, so probably it’s something with naxi rulesets.
Btw, why don’t you use maps?

map $geoip_coutnry_code $strictness {
default “strict";
CC_1 “not-so-strict";
CC_2 “not-so-strict";
# .. more country codes;
}

# strict and not-so-strict locations

map $strictness $path {
"strict” "/strict/";
"not-so-strict” "/not-so-strict/“;
}

location / {
return 302 $path;
# ..
}


br,
Aziz.





> On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <[email protected]> wrote:
>
> T THIS WORKS:
> # include /usr/local/n

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Jean-Paul Hemelaar
Re: Different Naxsi rulesets
November 13, 2017 07:50PM
Hi,

I have updated the config to use 'map' instead of the if-statements. That's
indeed a better way.
The problem however remains:

- Naxsi mainrules are in the http-block
- Config similar to:

map $geoip_country_code $ruleSetCC {
default "strict";
CC1 "relaxed";
CC2 "relaxed";
}

location /strict/ {
include /usr/local/nginx/naxsi.rules.strict;

proxy_pass http://app-server/;
}

location /relaxed/ {
include /usr/local/nginx/naxsi.rules.relaxed;

proxy_pass http://app-server/;
}

location / {
include /usr/local/nginx/naxsi.rules.default;

set $ruleSet $ruleSetCC;
rewrite ^(.*)$ /$ruleSet$1 last;
}


It's always using naxsi.rules.default. If this line is removed it's not
using any rules (pass-all).

Thanks so far!

JP





On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev <[email protected]> wrote:

> At first glance config looks correct, so probably it’s something with naxi
> rulesets.
> Btw, why don’t you use maps?
>
> map $geoip_coutnry_code $strictness {
> default “strict";
> CC_1 “not-so-strict";
> CC_2 “not-so-strict";
> # .. more country codes;
> }
>
> # strict and not-so-strict locations
>
> map $strictness $path {
> "strict” "/strict/";
> "not-so-strict” "/not-so-strict/“;
> }
>
> location / {
> return 302 $path;
> # ..
> }
>
>
> br,
> Aziz.
>
>
>
>
>
> > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <[email protected]>
> wrote:
> >
> > T THIS WORKS:
> > # include /usr/local/n
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Aziz Rozyev
Re: Different Naxsi rulesets
November 13, 2017 08:40PM
hello,

how about logs? does naxisi provide any variables that can be monitored?

so far it seems that your rules in ‘strict|relaxed’ are not triggering, the ‘default’
one will always hit (as expected), as it’s first location ‘/‘ from where you route to other 2 locations.

also, try to log in debug mode, may be that will give more insights.

br,
Aziz.





> On 13 Nov 2017, at 21:47, Jean-Paul Hemelaar <[email protected]> wrote:
>
> Hi,
>
> I have updated the config to use 'map' instead of the if-statements. That's indeed a better way.
> The problem however remains:
>
> - Naxsi mainrules are in the http-block
> - Config similar to:
>
> map $geoip_country_code $ruleSetCC {
> default "strict";
> CC1 "relaxed";
> CC2 "relaxed";
> }
>
> location /strict/ {
> include /usr/local/nginx/naxsi.rules.strict;
>
> proxy_pass http://app-server/;
> }
>
> location /relaxed/ {
> include /usr/local/nginx/naxsi.rules.relaxed;
>
> proxy_pass http://app-server/;
> }
>
> location / {
> include /usr/local/nginx/naxsi.rules.default;
>
> set $ruleSet $ruleSetCC;
> rewrite ^(.*)$ /$ruleSet$1 last;
> }
>
>
> It's always using naxsi.rules.default. If this line is removed it's not using any rules (pass-all).
>
> Thanks so far!
>
> JP
>
>
>
>
>
> On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev <[email protected]> wrote:
> At first glance config looks correct, so probably it’s something with naxi rulesets.
> Btw, why don’t you use maps?
>
> map $geoip_coutnry_code $strictness {
> default “strict";
> CC_1 “not-so-strict";
> CC_2 “not-so-strict";
> # .. more country codes;
> }
>
> # strict and not-so-strict locations
>
> map $strictness $path {
> "strict” "/strict/";
> "not-so-strict” "/not-so-strict/“;
> }
>
> location / {
> return 302 $path;
> # ..
> }
>
>
> br,
> Aziz.
>
>
>
>
>
> > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <[email protected]> wrote:
> >
> > T THIS WORKS:
> > # include /usr/local/n
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Jean-Paul Hemelaar
Re: Different Naxsi rulesets
November 15, 2017 08:00PM
Hi,

With help from the Naxsi maillist I found that my idea is indeed not
possible.
Naxsi doesn't process subrequests, so that's why it didn't work as I
expected.
It seems to be on the roadmap to change this behavior.

My workaround for now it to move the two rulesets into different server
blocks in Nginx:

Serverblock 1 listening on port 8080 makes the decision to send the request
to the strict or not-strict Naxsi
Serverblock 2 listening on port 8081 applies the strict rules
Serverblock 3 listening on port 8082 applies the less-strict rules

This works!

Thanks for your help,

JP



On Mon, Nov 13, 2017 at 8:30 PM, Aziz Rozyev <[email protected]> wrote:

> hello,
>
> how about logs? does naxisi provide any variables that can be monitored?
>
> so far it seems that your rules in ‘strict|relaxed’ are not triggering,
> the ‘default’
> one will always hit (as expected), as it’s first location ‘/‘ from where
> you route to other 2 locations.
>
> also, try to log in debug mode, may be that will give more insights.
>
> br,
> Aziz.
>
>
>
>
>
> > On 13 Nov 2017, at 21:47, Jean-Paul Hemelaar <[email protected]>
> wrote:
> >
> > Hi,
> >
> > I have updated the config to use 'map' instead of the if-statements.
> That's indeed a better way.
> > The problem however remains:
> >
> > - Naxsi mainrules are in the http-block
> > - Config similar to:
> >
> > map $geoip_country_code $ruleSetCC {
> > default "strict";
> > CC1 "relaxed";
> > CC2 "relaxed";
> > }
> >
> > location /strict/ {
> > include /usr/local/nginx/naxsi.rules.strict;
> >
> > proxy_pass http://app-server/;
> > }
> >
> > location /relaxed/ {
> > include /usr/local/nginx/naxsi.rules.relaxed;
> >
> > proxy_pass http://app-server/;
> > }
> >
> > location / {
> > include /usr/local/nginx/naxsi.rules.default;
> >
> > set $ruleSet $ruleSetCC;
> > rewrite ^(.*)$ /$ruleSet$1 last;
> > }
> >
> >
> > It's always using naxsi.rules.default. If this line is removed it's not
> using any rules (pass-all).
> >
> > Thanks so far!
> >
> > JP
> >
> >
> >
> >
> >
> > On Mon, Nov 13, 2017 at 2:14 PM, Aziz Rozyev <[email protected]> wrote:
> > At first glance config looks correct, so probably it’s something with
> naxi rulesets.
> > Btw, why don’t you use maps?
> >
> > map $geoip_coutnry_code $strictness {
> > default “strict";
> > CC_1 “not-so-strict";
> > CC_2 “not-so-strict";
> > # .. more country codes;
> > }
> >
> > # strict and not-so-strict locations
> >
> > map $strictness $path {
> > "strict” "/strict/";
> > "not-so-strict” "/not-so-strict/“;
> > }
> >
> > location / {
> > return 302 $path;
> > # ..
> > }
> >
> >
> > br,
> > Aziz.
> >
> >
> >
> >
> >
> > > On 12 Nov 2017, at 14:03, Jean-Paul Hemelaar <[email protected]>
> wrote:
> > >
> > > T THIS WORKS:
> > > # include /usr/local/n
> >
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login