HttpAccessModule

WARNING: this article is obsoleted. Please refer to http://nginx.org/en/docs/ for the latest official documentation.

= Synopsis = This module provides a simple host-based access control.

Module nginx_http_access_module makes it possible to control access for specific IP-addresses of clients. Since nginx 08.22 IPv6 is supported.

Access rules are checked according to the order of their declaration. The first rule that matches a particular address or set of addresses is the one that is obeyed.

Example configuration: location / { deny   192.168.1.1; allow  192.168.1.0/24; allow  10.1.1.0/16; allow  2620:100:e000::8001; deny   all; }

In this example access is granted to networks 10.1.1.0/16 and 192.168.1.0/24 with the exception of address 192.168.1.1, which is denied access together with all other addresses as defined by the deny all rule that is matched last in this location block. In addition it allows one specific IPv6 address. All others would be denied.

Note that the order of the deny/allow is of the utmost importance. If you're coming from the Apache world you might be tempted to think that you can switch the access directives order and everything will work. In fact it doesn't. Switching the order in the above example has the result of denying access to all addresses. Consider the following incorrect situation:

location / { # This always returns a 403. Probably it isn't what you want. deny all; # These directives are never reached. Since there's deny all as the first one. deny   192.168.1.1; allow  192.168.1.0/24; allow  10.1.1.0/1 }

If you are using many access rules you should consider that the GeoIP module is a preferred alternative to the Access module.

= Directives =

allow


Directive grants access for the network or addresses indicated.

deny


Directive forbids access for the network or addresses indicated.

= Tips & Tricks =

The NginxHttpAccessModule can be used in conjunction with the error_page directive to redirect unauthorised visitors to an alternative site:

error_page 403  http://example.com/forbidden.html; location / { deny   192.168.1.1; allow  192.168.1.0/24; allow  10.1.1.0/16; deny   all; }

= References = Original Documentation