FAQ

Page Discussion Edit History

NginxHttpAccessModule

Contents

Edit section: Synopsis Synopsis

This module provides a simple host-based access control.

Module nginx_http_access_module makes it possible to control access for specific IP-addresses of clients.

Access rules are checked according to the order of their declaration. The first rule that matches a particular address or set of addresses is the one that is obeyed.

Example configuration: 

location / {
  deny    192.168.1.1;
  allow   192.168.1.0/24;
  allow   10.1.1.0/16;
  deny    all;
}

In this example access is granted to networks 10.1.1.0/16 and 192.168.1.0/24 with the exception of address 192.168.1.1, which is denied access together with all other addresses as defined by the deny all rule that is matched last in this location block.

Note that the order of the deny/allow is of the utmost importance. If you're coming from the Apache world you might be tempted to think that you can switch the access directives order and everything will work. In fact it doesn't. Switching the order in the above example has the result of denying access to all addresses. Consider the following incorrect situation: 

location / {
  # This always returns a 403. Probably it isn't what you want.
  deny all;
  # These directives are never reached. Since there's deny all as the first one.
  deny    192.168.1.1;
  allow   192.168.1.0/24;
  allow   10.1.1.0/1
}

If you are using many access rules you should consider that the GeoIP module is a preferred alternative to the Access module.

Edit section: Directives Directives

Edit section: allow allow

syntax: allow [ address | CIDR | all ]

default: no

context: http, server, location, limit_except

Directive grants access for the network or addresses indicated.


Edit section: deny deny

syntax: deny [ address | CIDR | all ]

default: no

context: http, server, location, limit_except

Directive forbids access for the network or addresses indicated.

Edit section: Tips & Tricks Tips & Tricks

The NginxHttpAccessModule can be used in conjunction with the error_page directive to redirect unauthorised visitors to an alternative site: 

error_page  403  http://example.com/forbidden.html;
location / {
  deny    192.168.1.1;
  allow   192.168.1.0/24;
  allow   10.1.1.0/16;
  deny    all;
}

Edit section: References References

Original Documentation

Retrieved from "http://wiki.nginx.org/NginxHttpAccessModule"