ignore_ip
The `ignore_ip` directive allows the NAXSI module to exclude specified IP addresses from being subjected to request filtering.
Description
The ignore_ip directive within the NAXSI module effectively creates a whitelist of IP addresses that will be exempt from the anti-XSS and SQL injection rules enforced by NAXSI. This is particularly useful for scenarios where specific trusted clients, such as internal applications or particular users, need to bypass the security checks that NAXSI applies to all incoming traffic. By specifying one or more IP addresses, administrators can ensure that requests coming from these sources are not subject to the filtering and rule checks that might block legitimate traffic or applications.
The behavior of the ignore_ip directive is straightforward; when a request originates from an IP address that matches one of the listed values, NAXSI will skip its normal evaluation and processing for that request. This is achieved by matching each request's client IP against the specified entries. It is important to note that multiple IP addresses can be configured as arguments, providing flexibility in managing client exceptions. However, it is crucial for administrators to manage this directive carefully to avoid inadvertently exposing the application to potential security risks, as bypassing filtration for trusted sources may lead to exploitation if those sources become compromised.
Config Example
http {
ignore_ip 192.168.1.1;
ignore_ip 10.0.0.0/8;
}For security, avoid whitelisting entire ranges unless absolutely necessary.
Monitoring logs after configuring ignore_ip is essential to ensure that legitimate requests are processed correctly.
IP addresses should be properly formatted to avoid unintended behavior.