-
Notifications
You must be signed in to change notification settings - Fork 0
Mixed Policies
Rumen Damyanov edited this page Aug 23, 2025
·
1 revision
This guide demonstrates how to implement complex, layered blocking policies that combine multiple criteria and provide nuanced access control beyond simple Tor detection.
Mixed policies allow you to create sophisticated access control by combining Tor detection with other factors like geographic location, time of day, user behavior, request patterns, and application context.
Different Tor policies based on geographic location:
http {
torblock on;
# Load GeoIP module
geoip_country /usr/share/GeoIP/GeoIP.dat;
geoip_city /usr/share/GeoIP/GeoLiteCity.dat;
# Define country-specific Tor policies
map $geoip_country_code $tor_policy {
# High-risk countries: Block all Tor
CN strict_block;
RU strict_block;
KP strict_block;
IR strict_block;
# Medium-risk countries: Limited Tor access
BR limited_access;
IN limited_access;
TR limited_access;
# Low-risk countries: Allow with monitoring
US monitored;
CA monitored;
GB monitored;
DE monitored;
FR monitored;
# Default policy for other countries
default restricted;
}
# Time-based access control
map $time_iso8601 $business_hours {
~T(0[89]|1[0-7]) 1; # 8 AM - 5 PM UTC
default 0;
}
server {
listen 80;
server_name global-service.example.com;
location / {
# Apply country-specific Tor policies
# Strict blocking countries
if ($tor_policy = "strict_block") {
torblock on;
torblock_action 444; # Drop connection
access_log /var/log/nginx/blocked-countries.log combined;
}
# Limited access with time restrictions
if ($tor_policy = "limited_access") {
torblock on;
if ($business_hours = 0) {
torblock_action 403;
}
if ($business_hours = 1) {
torblock_action pass;
}
}
# Monitored access - log but allow
if ($tor_policy = "monitored") {
torblock on;
torblock_action log;
access_log /var/log/nginx/tor-monitored.log combined;
}
# Restricted access with CAPTCHA
if ($tor_policy = "restricted") {
torblock on;
if ($torblock_status = "blocked") {
return 302 /captcha-challenge?return=$request_uri;
}
}
proxy_pass http://backend;
}
}
}Different content access based on location and Tor usage:
http {
torblock on;
geoip_country /usr/share/GeoIP/GeoIP.dat;
# Map regions to content policies
map $geoip_country_code $content_region {
US north_america;
CA north_america;
MX north_america;
GB europe;
DE europe;
FR europe;
IT europe;
ES europe;
JP asia;
KR asia;
SG asia;
default international;
}
server {
listen 80;
server_name content.example.com;
# Regional content with Tor considerations
location /content {
# North America: Allow Tor for specific content
if ($content_region = "north_america") {
if ($torblock_status = "blocked") {
rewrite ^/content/(.*)$ /tor-content/$1 last;
}
}
# Europe: GDPR-compliant Tor handling
if ($content_region = "europe") {
if ($torblock_status = "blocked") {
add_header X-Tor-Notice "Anonymous access detected - limited tracking" always;
rewrite ^/content/(.*)$ /privacy-content/$1 last;
}
}
# Asia: Strict Tor policies
if ($content_region = "asia") {
torblock on;
torblock_action 403;
}
# International: Verification required
if ($content_region = "international") {
if ($torblock_status = "blocked") {
return 302 /verify-access?content=$request_uri;
}
}
root /var/www/content;
}
# Tor-specific content directory
location /tor-content {
internal;
root /var/www/tor-content;
add_header X-Content-Type "tor-anonymous" always;
}
# Privacy-focused content for GDPR
location /privacy-content {
internal;
root /var/www/privacy-content;
add_header X-Privacy-Mode "enhanced" always;
}
}
}Complex time-based policies with risk scoring:
http {
torblock on;
# Time period mapping
map $time_iso8601 $time_period {
~T(06|07) early_morning;
~T(0[89]) morning;
~T(1[0-1]) mid_morning;
~T(1[2-3]) lunch;
~T(1[4-7]) afternoon;
~T(1[8-9]) evening;
~T(2[0-3]) night;
~T(0[0-5]) late_night;
default unknown;
}
# Day of week detection
map $time_iso8601 $day_type {
~^[0-9]{4}-[0-9]{2}-[0-9]{2}T.*$ $time_iso8601;
}
# Risk scoring based on time and Tor usage
map "$time_period:$torblock_status" $risk_score {
~^early_morning:blocked$ high;
~^late_night:blocked$ high;
~^night:blocked$ medium;
~^morning:blocked$ low;
~^afternoon:blocked$ low;
~^evening:blocked$ medium;
default minimal;
}
server {
listen 80;
server_name secure-banking.example.com;
location / {
# High-risk time periods with Tor
if ($risk_score = "high") {
torblock on;
torblock_action 403;
access_log /var/log/nginx/high-risk-access.log combined;
return 403 "Service unavailable during this time period for anonymous connections";
}
# Medium risk - additional verification
if ($risk_score = "medium") {
torblock on;
if ($torblock_status = "blocked") {
return 302 /security-verification?level=medium;
}
}
# Low risk - monitoring only
if ($risk_score = "low") {
torblock on;
torblock_action log;
add_header X-Security-Level "monitoring" always;
}
proxy_pass http://banking-backend;
}
location /security-verification {
root /var/www/security;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
}
}
}Combine Tor detection with behavioral patterns:
http {
torblock on;
# Rate limiting zones for different behaviors
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/m;
limit_req_zone $binary_remote_addr zone=suspicious:5m rate=2r/m;
limit_req_zone $torblock_status zone=tor_users:5m rate=5r/m;
# Suspicious behavior detection
map $http_user_agent $suspicious_ua {
~*bot 1;
~*crawl 1;
~*scan 1;
~*hack 1;
"" 1; # Empty user agent
default 0;
}
# Request pattern analysis
map $request_uri $sensitive_path {
~/admin admin;
~/api/private api;
~/login auth;
~/download download;
default public;
}
# Combine factors for behavior score
map "$torblock_status:$suspicious_ua:$sensitive_path" $behavior_risk {
~^blocked:1:admin$ critical;
~^blocked:1:api$ critical;
~^blocked:1:auth$ critical;
~^blocked:0:admin$ high;
~^blocked:0:api$ high;
~^blocked:0:auth$ high;
~^blocked:.*:download$ medium;
~^blocked:.*:public$ low;
~^clean:1:.*$ medium;
default minimal;
}
server {
listen 80;
server_name webapp.example.com;
location / {
# Critical risk - immediate block
if ($behavior_risk = "critical") {
access_log /var/log/nginx/critical-threats.log combined;
return 444; # Drop connection immediately
}
# High risk - strict rate limiting
if ($behavior_risk = "high") {
limit_req zone=suspicious burst=1 nodelay;
torblock on;
torblock_action 429;
add_header X-Risk-Level "high" always;
}
# Medium risk - enhanced monitoring
if ($behavior_risk = "medium") {
limit_req zone=tor_users burst=3 nodelay;
access_log /var/log/nginx/medium-risk.log combined;
add_header X-Risk-Level "medium" always;
}
# Low risk - normal processing with logging
if ($behavior_risk = "low") {
limit_req zone=general burst=10 nodelay;
access_log /var/log/nginx/tor-access.log combined;
add_header X-Risk-Level "low" always;
}
proxy_pass http://webapp-backend;
}
}
}Different policies for different API endpoints:
http {
torblock on;
# API endpoint classification
map $request_uri $api_security_level {
~/api/public/ public;
~/api/user/ user;
~/api/admin/ admin;
~/api/payment/ payment;
~/api/internal/ internal;
default unknown;
}
# HTTP method risk assessment
map $request_method $method_risk {
GET low;
POST medium;
PUT high;
DELETE high;
PATCH high;
default suspicious;
}
# Content type policies
map $content_type $content_risk {
~^application/json normal;
~^application/xml normal;
~^text/plain normal;
~^multipart/form-data elevated;
~^application/x-www-form-urlencoded elevated;
default unknown;
}
server {
listen 80;
server_name api.example.com;
# Public API - allow Tor with rate limiting
location /api/public {
if ($torblock_status = "blocked") {
limit_req zone=tor_users burst=5 nodelay;
add_header X-Tor-User "true" always;
}
proxy_pass http://public-api-backend;
}
# User API - require verification for Tor
location /api/user {
if ($torblock_status = "blocked") {
# Check for valid session
if ($cookie_verified_session = "") {
return 403 '{"error":"verification_required","message":"Session verification required for anonymous access"}';
}
limit_req zone=tor_users burst=3 nodelay;
}
proxy_pass http://user-api-backend;
}
# Admin API - block Tor completely
location /api/admin {
torblock on;
torblock_action 403;
# Additional security headers
add_header X-Admin-Access "direct-only" always;
proxy_pass http://admin-api-backend;
}
# Payment API - strict Tor blocking with fraud detection
location /api/payment {
torblock on;
torblock_action 403;
# Log all payment access attempts from Tor
if ($torblock_status = "blocked") {
access_log /var/log/nginx/payment-fraud-attempts.log
'$remote_addr [$time_local] FRAUD_ALERT: '
'Payment API access via Tor "$request" '
'User-Agent: "$http_user_agent"';
}
proxy_pass http://payment-api-backend;
}
# Internal API - complete access denial
location /api/internal {
torblock on;
torblock_action 444; # Drop connection
# Only allow from internal networks
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
proxy_pass http://internal-api-backend;
}
}
}Specialized handling for file operations:
http {
torblock on;
# File type classification
map $request_uri $file_category {
~\.(jpg|jpeg|png|gif|webp)$ image;
~\.(pdf|doc|docx|txt)$ document;
~\.(zip|tar|gz|rar)$ archive;
~\.(exe|dmg|pkg|deb|rpm)$ executable;
~\.(mp3|mp4|avi|mov)$ media;
default unknown;
}
server {
listen 80;
server_name files.example.com;
# Image uploads - allow Tor with restrictions
location /upload/images {
if ($torblock_status = "blocked") {
# Limit file size for Tor users
client_max_body_size 5m; # 5MB limit
# Enhanced scanning
add_header X-Scan-Level "enhanced" always;
# Rate limiting for uploads
limit_req zone=tor_users burst=2 nodelay;
}
# Normal users get higher limits
if ($torblock_status = "clean") {
client_max_body_size 50m; # 50MB limit
}
proxy_pass http://image-upload-backend;
}
# Document uploads - require verification for Tor
location /upload/documents {
if ($torblock_status = "blocked") {
# Require additional verification
if ($cookie_upload_verified = "") {
return 403 '{"error":"verification_required","message":"Document upload verification required"}';
}
client_max_body_size 2m; # Strict limit
}
proxy_pass http://document-upload-backend;
}
# Executable uploads - block Tor completely
location /upload/software {
torblock on;
torblock_action 403;
return 403 "Executable uploads not permitted via anonymous connections";
}
# Download restrictions based on file type
location /download {
# Archive downloads - additional verification for Tor
if ($file_category = "archive") {
if ($torblock_status = "blocked") {
# Require CAPTCHA for archive downloads
if ($cookie_download_verified = "") {
return 302 /verify-download?file=$request_uri;
}
}
}
# Executable downloads - block Tor
if ($file_category = "executable") {
torblock on;
torblock_action 403;
}
# Media files - rate limit for Tor
if ($file_category = "media") {
if ($torblock_status = "blocked") {
limit_rate 1m; # 1MB/s rate limit
}
}
root /var/www/downloads;
}
}
}Comprehensive e-commerce Tor policy:
http {
torblock on;
# Shopping behavior analysis
map $request_uri $ecommerce_section {
~/browse/ catalog;
~/product/ product;
~/cart/ cart;
~/checkout/ checkout;
~/payment/ payment;
~/account/ account;
~/admin/ admin;
default general;
}
# User session tracking
map $cookie_session_trust $trust_level {
verified high;
partial medium;
default low;
}
server {
listen 80;
server_name shop.example.com;
# Product browsing - allow Tor with monitoring
location /browse {
if ($torblock_status = "blocked") {
# Log browsing patterns
access_log /var/log/nginx/tor-browsing.log combined;
# Light rate limiting
limit_req zone=general burst=20 nodelay;
# Add privacy notice
add_header X-Privacy-Notice "Anonymous browsing detected" always;
}
proxy_pass http://catalog-backend;
}
# Shopping cart - require verification for Tor
location /cart {
if ($torblock_status = "blocked") {
# Require session verification
if ($trust_level != "high") {
return 302 /verify-session?return=/cart;
}
# Enhanced security headers
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
}
proxy_pass http://cart-backend;
}
# Checkout process - strict Tor policies
location /checkout {
# Block Tor for checkout initiation
if ($torblock_status = "blocked") {
if ($trust_level != "high") {
return 403 '{"error":"checkout_blocked","message":"Checkout requires verified connection","support":"/contact"}';
}
# Additional fraud detection headers
add_header X-Fraud-Check "enhanced" always;
# Log all Tor checkout attempts
access_log /var/log/nginx/tor-checkout.log combined;
}
proxy_pass http://checkout-backend;
}
# Payment processing - complete Tor block
location /payment {
torblock on;
torblock_action 403;
# Comprehensive logging
access_log /var/log/nginx/payment-security.log
'$remote_addr [$time_local] PAYMENT_ACCESS: '
'"$request" tor_status="$torblock_status" '
'trust_level="$trust_level" session="$cookie_session_id"';
proxy_pass http://payment-backend;
}
# Account management - enhanced verification
location /account {
if ($torblock_status = "blocked") {
# Require multi-factor verification
if ($cookie_mfa_verified = "") {
return 302 /mfa-challenge?return=/account;
}
# Session timeout for Tor users
add_header Set-Cookie "session_timeout=1800; Path=/; Secure; HttpOnly" always;
}
proxy_pass http://account-backend;
}
}
}CMS with role-based Tor policies:
http {
torblock on;
# User role detection from cookies/headers
map $cookie_user_role $user_access_level {
admin admin;
editor editor;
author author;
subscriber subscriber;
default anonymous;
}
# Content type sensitivity
map $request_uri $content_sensitivity {
~/wp-admin/ admin;
~/wp-login auth;
~/wp-content/uploads sensitive;
~/api/ api;
~/feed/ public;
default general;
}
server {
listen 80;
server_name cms.example.com;
# Public content - allow Tor
location / {
if ($content_sensitivity = "public") {
# No restrictions for public content
add_header X-Public-Content "true" always;
}
if ($content_sensitivity = "general") {
if ($torblock_status = "blocked") {
# Light monitoring for general content
access_log /var/log/nginx/tor-general.log combined;
}
}
proxy_pass http://cms-backend;
}
# Authentication - enhanced security for Tor
location /wp-login.php {
if ($torblock_status = "blocked") {
# Enhanced security measures
limit_req zone=suspicious burst=3 nodelay;
# Additional verification step
if ($cookie_pre_auth_verified = "") {
return 302 /verify-login?return=/wp-login.php;
}
# Log all Tor login attempts
access_log /var/log/nginx/tor-login-attempts.log
'$remote_addr [$time_local] TOR_LOGIN: '
'"$request" "$http_user_agent" '
'country="$geoip_country_code"';
}
proxy_pass http://cms-backend;
}
# Admin area - role-based Tor policies
location /wp-admin {
# Admins get access from Tor with enhanced security
if ($user_access_level = "admin") {
if ($torblock_status = "blocked") {
# Require additional authentication
add_header X-Admin-Security "enhanced" always;
# Shorter session timeout
add_header Set-Cookie "PHPSESSID=$cookie_PHPSESSID; Max-Age=1800; Path=/wp-admin; Secure; HttpOnly" always;
}
}
# Editors and authors - limited Tor access
if ($user_access_level ~ "^(editor|author)$") {
if ($torblock_status = "blocked") {
# Read-only mode for Tor users
if ($request_method !~ "^GET$") {
return 403 "Write access not permitted via anonymous connection";
}
}
}
# Block Tor for lower privilege levels
if ($user_access_level ~ "^(subscriber|anonymous)$") {
torblock on;
torblock_action 403;
}
proxy_pass http://cms-admin-backend;
}
# File uploads - strict Tor policies
location /wp-content/uploads {
if ($torblock_status = "blocked") {
# Only allow image uploads from Tor
if ($request_method = "POST") {
if ($content_type !~ "image/") {
return 403 "Only image uploads permitted via anonymous connection";
}
# Strict file size limit
client_max_body_size 1m;
}
}
proxy_pass http://cms-upload-backend;
}
}
}Comprehensive testing approach:
#!/bin/bash
# Mixed policy testing script
TEST_DOMAIN="test.example.com"
TOR_PROXY="127.0.0.1:9050" # Local Tor proxy
echo "=== Mixed Policy Testing ==="
# Test 1: Geographic policy simulation
echo "1. Testing geographic policies..."
curl -s -H "CF-IPCountry: CN" "http://$TEST_DOMAIN/api/test" | jq .
curl -s -H "CF-IPCountry: US" "http://$TEST_DOMAIN/api/test" | jq .
# Test 2: Time-based policy simulation
echo "2. Testing time-based policies..."
curl -s -H "X-Test-Time: 02:00" "http://$TEST_DOMAIN/secure" -w "Status: %{http_code}\n"
curl -s -H "X-Test-Time: 14:00" "http://$TEST_DOMAIN/secure" -w "Status: %{http_code}\n"
# Test 3: Behavior-based policies
echo "3. Testing behavior policies..."
curl -s -A "Mozilla/5.0" "http://$TEST_DOMAIN/admin" -w "Status: %{http_code}\n"
curl -s -A "curl/7.0" "http://$TEST_DOMAIN/admin" -w "Status: %{http_code}\n"
# Test 4: Content-type policies
echo "4. Testing content-type policies..."
curl -s -X GET "http://$TEST_DOMAIN/api/user" -w "Status: %{http_code}\n"
curl -s -X POST "http://$TEST_DOMAIN/api/user" -H "Content-Type: application/json" -w "Status: %{http_code}\n"
# Test 5: Combined policy testing via Tor
echo "5. Testing via Tor..."
curl -s --proxy socks5h://$TOR_PROXY "http://$TEST_DOMAIN/test/policy" | jq .
echo "=== Testing Complete ==="After implementing mixed policies:
- Development Setup: Learn about Development Setup for custom policy development
- Building from Source: Check Building from Source for compilation details
- Troubleshooting: Review Troubleshooting Guide for debugging complex policies
- Performance Tuning: Return to Advanced Configuration for optimization