-
Notifications
You must be signed in to change notification settings - Fork 606
olds dynamicmodifiers
Since 0.49, naxsi supports a limited set of boolean variables that can be set to 0
or 1
to override or modify its behaviour.
-
naxsi_flag_learning
can override Naxsi learning flag. -
naxsi_flag_post_action
may be used to disablepost_action
in learning mode. -
naxsi_flag_enable
could override naxsi'sSecRulesEnabled
. -
naxsi_extensive_log
can force naxsi to log theCONTENT
of variable matching rules (see notes at bottom).
It is important to know that naxsi operates at the REWRITE
phase of nginx. Thus, setting those variables directly in the location where Naxsi is present is ineffective (as naxsi will be called before variable set is effective).
This is correct:
set $naxsi_flag_enable 0;
location / {
...
}
But this is wrong:
location / {
set $naxsi_flag_learning 1;
...
}
With that said, you can use the power of nginx, lua, etc. to change naxsi's behaviour. The presence of these variables will enable/disable learning mode, naxsi itself or force extensive logging. You can thus do things naxsi is usually not able to, like modifying its behaviour according to (nginx) variables set at run-time :
# Disable naxsi if client ip is 127.0.0.1
if ($remote_addr = "127.0.0.1") {
set $naxsi_flag_enable 0;
}
Those variables can as well be set from lua scripts (see nginx's mod_lua).
If the naxsi_flag_learning
variable is present, this value will override naxsi's current static configuration regarding learning mode.
if ($remote_addr = "1.2.3.4") {
set $naxsi_flag_learning 1;
}
location / {
...
}
The post_action option can be used by naxsi to literally forward a request to the DeniedUrl
location. It is on by default until naxsi 0.50 (a souvenir from nx_intercept
) and is off by default since naxsi 0.51.
If the naxsi_flag_enable
variable is present and set to 0
, naxsi will be disabled in this request. This allows you to partially disable naxsi in specific conditions. To completely disable naxsi for "trusted" users :
set $naxsi_flag_enable 0;
location / {
...
}
If present and set to 1
, this variable will force naxsi to log the CONTENT of variable matching rules.
Because of a potential impact on performance, use this with caution. Naxsi will log those to nginx’s error_log, ie:
NAXSI_EXLOG: ip=%V&server=%V&uri=%V&id=%d&zone=%s&var_name=%V&content=%V