Sindbad~EG File Manager

# Variable definitions to avoid Nginx error, all variable that can be used must be defined in advance.
# For each security rule, we have one variable with the same name as the security rule itself.
# This variable is modified by the lua script (reading the customer config from redis).
# Then we check the content of the variable to determine what to do.
# We have a variable called {ruleName} = {rule action}

### Variable related to the custom waf rules that a customer can choose from cPanel. Set default value here too.

# O2switch default security
set $r_default 'enabled';
# Block or ratelimit xmlrpc.php access. Actions are : disabled, block or ratelimit{1,10,60}.
set $r_xmlrpc 'disabled';
# Block or ratelimit SEO bots. Actions are : disabled, block or ratelimit{1,10,60}.
set $r_seobots 'disabled';
# Block or limit bad bots. Actions are : disabled, block or ratelimit{1,10,60}.
set $r_badbots 'disabled';
# Block or limit empty UA bots. Actions are : disabled, block or ratelimit{1,10,60}.
set $r_emptyua 'disabled';
# Force a browser check on page looking like admin page. Actions are : disabled, js or cookie.
set $r_admincheck 'disabled';
# Rate limit request on admin login page. Actions are : disabled or ratelimit{1,10,60}.
set $r_adminlimit 'disabled';
# Block access to dev file, like .env. Actions are : disabled, block.
set $r_blockdevfiles 'disabled';
# Block or limit access to Tor exit node. Action are : disabled, block or ratelimit{1,10,60}.
set $r_tor 'disabled';
# Block or limit access to bad ip. Actions are : disabled, block or ratelimit{1,10,60}.
set $r_badips 'disabled';
# Block direct access to .php files. Actions are : disabled, block
set $r_blockphp 'disabled';
# Block direct access to wordpress .php files. Actions are : disabled, block
set $r_blockwpphp 'disabled';
# Force a browser check. Actions are : disabled, js or cookie.
set $r_underattack 'disabled';
# Block fake google UA. Action are : disabled, block, ratelimit{1,10,60}
set $r_fakegoogle 'disabled';

### Variables related to our own security rules
set $challengetype '0';

### Attack auto-detection and block
set $autoMitigation '0';
set $autoMitigationOverride 0; # If this is set to 1, it will ignore the osw-chl cookie value and re-force a challenge

### Other

# Name of the security rule triggered, in case of 403 for instance, to display it in the error message
set $securityRuleName '';
# Variable that can contains a message, that will be showned in the error message page, to help the customer debug stuff
set $additionalErrorMessage '';