[feature request] add 'and' for rules #2109
Replies: 5 comments
-
|
if this PR from djcrafts is added, then this feature will be included: #2131 |
Beta Was this translation helpful? Give feedback.
-
|
I'd definitely be interested in #2131 if that indeed provides better rule resolution. It's definitely going to be needed after adding the capability for ASN rule matching. For example, Rules are quite a bit more customizable in cloudflare. See the screenshot below, where you can select the field, operation, and value. You can group conditions with an 'and' or an 'or'.
|
Beta Was this translation helpful? Give feedback.
-
|
+1 for this FR. |
Beta Was this translation helpful? Give feedback.
-
|
A NOT operator is also definitely needed |
Beta Was this translation helpful? Give feedback.
-
|
+1, this would be very useful. Rules should be able to complement each other instead of being strictly order-dependent. Combining conditions like path + country or path + ASN before deciding to allow, block, require login, or bypass login would make access control much safer and more flexible. |
Beta Was this translation helpful? Give feedback.

Uh oh!
There was an error while loading. Please reload this page.
-
Summary
currently, you can set ip OR path OR country, which means that you cannot, for example, say "allow this country to this path" - you have to either allow the path (which allows the world) or allow the country (which does not limit the path)
(or you would have to create workarounds by creating a separate resource and doing it through path matchers, but that would become unsustainable)
Motivation
one of the most clear cases is somewhere someone describes how to "make sure bitwarden/vaultwarden works with pangolin", but what they are actually doing and suggesting is removing the protection from pangolin, so they end up with a vaultwarden instance that is exposed to the world - adding the path AND ip/country option would help prevent such misconfigurations (as i'm sure the idea is not to expose vaultwarden to the world)
Proposed Solution
adding the option to limit a path on either ip or country so that we can have a safer and more maintainable setup with pangolin for things where you need to have an API that cannot authenticate to pangolin, but you still want to use the concept of "least privileges required"
Alternatives Considered
creating separate resources, but this would entail that for each application you would have to create multiple resources + a different (sub)domain, which is unwanted in most cases.
(also, it would make it too easy to have faulty configurations that become unsafe)
Additional Context
No response
Beta Was this translation helpful? Give feedback.
All reactions