exit with ngx.DECLINED when the request is allowed #62
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #61.
The bouncer is running in the access phase of nginx, and an access handler can have 3 different return code:
ngx.OK
: request is allowed to go through (and bypass any remaining handler in the phase)>= ngx.HTTP_OK
: return this code to nginx and skip all remaining phasesngx.DECLINED
: tell nginx we are not interested in handling the request (and so, we are not taken into account when resolvingsatisfy
).ngx.DECLINED
is not really documented in the LUA module (best I could find is this and thisWe didn't explicitly tell nginx we were not interested in handling the request in the following case:
This caused any configuration using
satisfy any
to not behave as expected: because we were implicitly allowing the request, any other check (such as IP or credentials) was ignored.We now explicitly exit the handler with
ngx.DECLINED
when:This slightly changes the behavior of the bouncer: if an IP is allowed (through an
allow
directive or correct HTTP credentials) AND nginx is configured withsatisfy any
, the request will be allowed to go through even if there's a decision for the IP or if the appsec component decided to block the request (this can be worked around by usingsatisfy all
, but this is not suitable for all situations).