Let’s say my first configuration rule at order 1 is:
if
(http.host eq "example.com" and http.request.uri.path eq "/login")
then
Security Level = High
The rule at order 2 is:
if
(http.host eq "example.com")
then
Security Level = Medium
What is the effective security level of /login requests? I tried the Trace feature but it shows that both rules are matched and doesn’t show what the end result is. I basically want my subdomain to have medium security level except a select few API endpoints should have high security level.
You have the rules the wrong way round. As you have it, if you go to example.com/login then the security level will be set to high by rule 1, then set back to medium by rule 2. You need the reverse effect.
I’ve not checked, but I assumed as you say trace shows both rules are executed so these are not like page rules where a rule that hits doesn’t process further rules. All matching rules are executed in order.
Thanks. Describing it like that makes a lot of sense. Before I thought of “order” like priority where number 1 has higher priority than 2. I wish the documentation described this.