Hi Blason,
> Thanks Andrew - That works for me
Glad to hear it worked.
> And rule phase 1 should look like this?
>
> Rule REMOTE_ADDR "@geoLookup" \
> "chain,\
> id:22,\
> deny,\
> phase:1 \
> msg:'Non-China IP address'"
> SecRule GEO:COUNTRY_CODE "!@streq CN"
Yes, that looks good. Personal preference (and CRS policy): it's
always a good idea to indent chained rules. Indentation makes the
chain-ing easier to spot and makes the rule flow easier to read.
Maybe you've already determined that this is the best solution for
your use case. However, it is worthwhile to consider the question: is
ModSecurity the *best* place to perform geolocation logic?
Can this same outcome be achieved:
- at the (edge) firewall? Geo-blocked packets then never hit the WAF
and never consume any WAF resources.
- in nftables etc. on the WAF machine? Geo-blocked packets are then
caught much earlier and never hit ModSecurity, hence they consume much
fewer resources.
- in the web server that holds ModSecurity, e.g. Apache, nginx?
Generally more flexible, and makes it easy to add geolocation info as
request headers: your back end servers can use and log the info for
statistics, troubleshooting, etc. (e.g. X-Country-Code: PS)
Just some ideas, which may or may not be helpful.
Thanks,
Andrew