How do conflicting configuration rules resolve?

Let’s say my first configuration rule at order 1 is:


( eq "" and http.request.uri.path eq "/login")


Security Level = High

The rule at order 2 is:


( eq "")


Security Level = Medium

What is the effective security level of /login requests? I tried the Trace feature but it shows that both rules are matched and doesn’t show what the end result is. I basically want my subdomain to have medium security level except a select few API endpoints should have high security level.

You have the rules the wrong way round. As you have it, if you go to then the security level will be set to high by rule 1, then set back to medium by rule 2. You need the reverse effect.

I’ve not checked, but I assumed as you say trace shows both rules are executed so these are not like page rules where a rule that hits doesn’t process further rules. All matching rules are executed in order.

1 Like

Thanks. Describing it like that makes a lot of sense. Before I thought of “order” like priority where number 1 has higher priority than 2. I wish the documentation described this.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.