ignore_cidr
The `ignore_cidr` directive configures NAXSI to disregard certain IP address ranges for security filtering.
Description
The ignore_cidr directive in the NGINX Anti XSS & SQL Injection (NAXSI) module allows you to specify one or more CIDR (Classless Inter-Domain Routing) notations that define a range of IP addresses to be excluded from security rule evaluations. This is useful in scenarios where certain traffic—such as internal requests or known safe sources—should not trigger the NAXSI firewall, thus preventing false positives that may disrupt legitimate operations.
To implement this directive, you provide one or more IP addresses in CIDR format as arguments. Each specified CIDR range will be checked against the client IP addresses in incoming requests. If a client's IP falls within the specified CIDR range, NAXSI ignores any security rules that would normally apply to that request. This exclusion helps maintain functionality for designated trusted sources without compromising overall security measures for other clients.
The directive can be used in various contexts, including http, server, location, and limit_except, allowing flexible deployment based on your architecture and needs. Ensure that the CIDR addresses are correctly formatted to avoid misconfigurations that may lead to a security breach or unintended traffic blocking.
Config Example
http {
ignore_cidr 192.168.1.0/24;
server {
location / {
# Other configuration
}
}
}Ensure CIDR addresses are correct to avoid unexpected request filtering.
Using too broad of a CIDR can expose your application to security risks if not carefully considered.
Multiple ignore_cidr directives can cause confusion; document their usage clearly.