In ModSecurity (I'm actually using Coraza but it should be the same thing), how I can mix logical OR and AND? For example, I want a rule that denies the request if the source IP matches a list of CIDR ranges AND matches a list of host headers. It would be equivalent of:
if (srcIp in ['3.4.5.0/24', '2.3.4.0/24']) AND (host in ['foo.com', 'bar.com'])
deny
I can achieve AND by chaining. For IP address this works:
SecRule REQUEST_HEADERS:X-Forwarded-For "@ipMatch 3.4.5.0/24,2.3.4.0/24" "id:9,phase:1,chain"
But how to also match against multiple hosts in one rule?
I tried
SecRule REQUEST_HEADERS:Host "@pm bar.com baz.com" "id:10,phase:1,deny"
But this also matches against abar.com and bar.coma
Multiple chained rules per host are treated as an AND.
The @within operator matches against a list of values:
SecRule REQUEST_HEADERS:Host "@within bar.com,baz.com" "id:10,phase:1,deny"