ROR use cases on

I’m testing two use cases as they are on (1)secure public searchbox from ransomware and (2)full access fof localhost, RO some indices from elsewhere.
It seems the code are the same for those two cases, except the response_if_forbidden for second case.
When I’m running request via curl on the server where the instance of elasticsearch with single node cluster is running ( then I’m getting response for my requested index movies listed in the indices: [“movies”] and that is ok because I’m running curl request on localhost.
What is confusing me I can get the response for my requested index even if running the same request via curl on another server (yy.yyy.yy.55) where there is no running elasticsearch.
Any help to make these two use cases more clear (what is the difference, practical usage, etc.) would be appreciated.

I modified the to be less confusing.

The anti-ransomware is basically rejecting everything that is not a read request on certain indices.

The “Full access for localhost, RO some indices from elsewhere” ALSO accepts anything coming from localhost. There’s two rule blocks.

Blocks are evaluated in sequence from up to down until one matches. If no block matches, the request is rejected.

I’m just curious what should expect if there are 5 rule blocks and let’s say the 2nd and 4th rule blocks are matching.
Will be those rule blocks combined with the “and” or with the “or” operator to define final behavior ?

Thank you very much Simone for your response, explanation and help.

Hi ,

the first matching block win.
that’s why you have to take care of block order in your configuration file.

all the rules in a block are in AND, and all the blocks are in OR between each other.



So, if the 2nd maching blocks will be found then ror will use it and stop to analyze another blocks even f.e. there will be another let’s say 4th matching block, correct ?

Yep, if one block matched.

1 Like