How do conflicting configuration rules resolve?

Let’s say my first configuration rule at order 1 is:

if

(http.host eq "example.com" and http.request.uri.path eq "/login")

then

Security Level = High

The rule at order 2 is:

if

(http.host eq "example.com")

then

Security Level = Medium

What is the effective security level of /login requests? I tried the Trace feature but it shows that both rules are matched and doesn’t show what the end result is. I basically want my subdomain to have medium security level except a select few API endpoints should have high security level.

You have the rules the wrong way round. As you have it, if you go to example.com/login then the security level will be set to high by rule 1, then set back to medium by rule 2. You need the reverse effect.

I’ve not checked, but I assumed as you say trace shows both rules are executed so these are not like page rules where a rule that hits doesn’t process further rules. All matching rules are executed in order.

1 Like

Thanks. Describing it like that makes a lot of sense. Before I thought of “order” like priority where number 1 has higher priority than 2. I wish the documentation described this.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.