How do I block or deny access based on the host name or IP address of the client visiting website under nginx web server?
Nginx comes with a simple module called ngx_http_access_module to allow or deny access to IP address. The syntax is as follows:
deny IP; deny subnet; allow IP; allow subnet; # block all ips deny all; # allow all ips allow all;
Note rules are checked in the order of their record to the first match.
How Do I Configure Nginx To Block IPs?
Edit nginx.conf file, enter (note my nginx path is set to /usr/local/nginx/, replace this according to your setup):
# cd /usr/local/nginx/conf/
# vi nginx.conf
Add the following line in http section:
## Block spammers and other unwanted visitors ##
include blockips.conf;Save and close the file. Finally, create blockips.conf in /usr/local/nginx/conf/, enter:
# vi blockips.conf
Append / add entries as follows:
deny 1.2.3.4; deny 91.212.45.0/24; deny 91.212.65.0/24;
Save and close the file. Test the config file, enter:
# /usr/local/nginx/sbin/nginx -t
Sample outputs:
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok configuration file /usr/local/nginx/conf/nginx.conf test is successful
Reload the new config, enter:
# /usr/local/nginx/sbin/nginx -s reload
How Do I Deny All and Allow Only Intranet/LAN IPs?
Edit config file as follows:
location / {
# block one workstation
deny 192.168.1.1;
# allow anyone in 192.168.1.0/24
allow 192.168.1.0/24;
# drop rest of the world
deny all;
}Granted access to network 192.168.1.0/24 with the exception of the address 192.168.1.1.
How Do I Customize HTTP 403 Forbidden Error Messages?
Create a file called error403.html in default document root, enter:
# cd /usr/local/nginx/html
# vi error403.html
<html> <head><title>Error 403 - IP Address Blocked</title></head> <body> Your IP Address is blocked. If you this an error, please contact webmaster with your IP at webmaster@example.com </body> </html>
If SSI enabled, you can display the client IP easily from the html page itself:
Your IP Address is <!--#echo var="REMOTE_ADDR" --> blocked.
Save and close the file. Edit your nginx.conf file, enter:
# vi nginx.conf
# redirect server error pages to the static page error_page 403 /error403.html; location = /error403.html { root html; }
Save and close the file. Reload nginx, enter:
# /usr/local/nginx/sbin/nginx -s reload
See also:
References:
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- My 10 UNIX Command Line Mistakes
- Linux: 20 Iptables Examples For New SysAdmins
- 25 PHP Security Best Practices For Sys Admins
- The Novice Guide To Buying A Linux Laptop
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
Facebook it - Tweet it - Print it -
{ 9 comments… read them below or add one }
I am not a administrator. how i can stop 403 error..
Please tell me..
My all downloading is block and e found error 403 & 404..please solve it.
You can’t, it is a server side configuration. Only server admin can configure and allow or deny access.
Its working good, but how to redirect blocked IP to 404 page?
How do I get Live Journal to unblock my IP Adress? Administrators need to make sure that the IP Address that they are blocking is malicious first, and stop blocking genuine customers.
[emerg]: unknown directive “deny” in blockips.conf
put
include blockips.conf
inside of http brackets:
http {
include blockips.conf
#other options..
}
I have the same problem. Cant google it anyhow.
unknown directive “deny”…
Although nginx -V does not show any signs of “disinclussion” of the module. So I’m guessing its enabled? Any help appreciated.
My upstream load balancer use SNAT, so in Nginx it sees all source IP as load balancer IP.
Is there a way in Nginx to find out the real IP of client browser in order to use ngx_http_access_module?
Thanks!
Use X-Real-Ip when request comes from another proxy or L7 load balancer. See how to install and configure HttpRealIpModule.