ModSecurity default action when no rule is match?

Question

I'm lab with modSecurity using nginx, I have a question

How can you set default action for actione doesn't match anyrule

For example I have set of rule allow people do stuff form 1 set of IP, I want to block all other request? How caN I do that ?

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
SecGeoLookupDb /usr/local/geo/data/GeoLiteCity.dat

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,allow,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@pm CN"

SecDefaultAction "phase:1,log,auditlog,drop,status:403,tag:'SLA 24/7'"

Answer 1

If you want to deny all requests which didn't matched with any rules before, you have to create an explicit unconditional rule ( SecAction ) at the end of set of your rules, something like this:

SecAction "id:10001,phase:1,deny,status:403,log"

Please note, that with this solution (rule in phase:1 ) you can't use any other phase. Of course, you should put this rule into phase:2 , but without any rule in that phase, it's enough.

More notes for your example:

• your action is allow but the message is Blocking Country IP Address , this is a bit confusing
• if you want to control only the access/not access by country, there is a standalone Nginx module , you don't need any WAF