≡ Menu

Nginx Block And Deny IP Address OR Network Subnets

How do I block or deny access based on the host name or IP address of the client visiting website under nginx web server?

Nginx comes with a simple module called ngx_http_access_module to allow or deny access to IP address. The syntax is as follows:

deny IP;
deny subnet;
allow IP;
allow subnet;
# block all ips
deny    all;
# allow all ips
allow    all;

Note rules are checked in the order of their record to the first match.

How Do I Configure Nginx To Block IPs?

Edit nginx.conf file, enter (note my nginx path is set to /usr/local/nginx/, replace this according to your setup):
# cd /usr/local/nginx/conf/
# vi nginx.conf

Add the following line in http section:

## Block spammers and other unwanted visitors  ##
 include blockips.conf;

Save and close the file. Finally, create blockips.conf in /usr/local/nginx/conf/, enter:
# vi blockips.conf
Append / add entries as follows:

deny 1.2.3.4;
deny 91.212.45.0/24;
deny 91.212.65.0/24;
 

Save and close the file. Test the config file, enter:
# /usr/local/nginx/sbin/nginx -t
Sample outputs:

the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successful

Reload the new config, enter:
# /usr/local/nginx/sbin/nginx -s reload

How Do I Deny All and Allow Only Intranet/LAN IPs?

Edit config file as follows:

location / {
  # block one workstation
  deny    192.168.1.1;
  # allow anyone in 192.168.1.0/24
  allow   192.168.1.0/24;
  # drop rest of the world
  deny    all;
}

Granted access to network 192.168.1.0/24 with the exception of the address 192.168.1.1.

How Do I Customize HTTP 403 Forbidden Error Messages?

Create a file called error403.html in default document root, enter:
# cd /usr/local/nginx/html
# vi error403.html

<html>
<head><title>Error 403 - IP Address Blocked</title></head>
<body>
Your IP Address is blocked. If you this an error, please contact webmaster with your IP at webmaster@example.com
</body>
</html>
 

If SSI enabled, you can display the client IP easily from the html page itself:

Your IP Address is <!--#echo var="REMOTE_ADDR" --> blocked.

Save and close the file. Edit your nginx.conf file, enter:
# vi nginx.conf

# redirect server error pages to the static page
 error_page   403  /error403.html;
 location = /error403.html {
         root   html;
 }

Save and close the file. Reload nginx, enter:
# /usr/local/nginx/sbin/nginx -s reload

See also:

References:

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 15 comments… add one }

  • KKKKK April 14, 2010, 11:30 am

    I am not a administrator. how i can stop 403 error..
    Please tell me..
    My all downloading is block and e found error 403 & 404..please solve it.

    • nixCraft April 14, 2010, 11:50 am

      You can’t, it is a server side configuration. Only server admin can configure and allow or deny access.

  • Khupcom November 5, 2010, 9:19 pm

    Its working good, but how to redirect blocked IP to 404 page?

  • Camella April 12, 2011, 1:21 pm

    How do I get Live Journal to unblock my IP Adress? Administrators need to make sure that the IP Address that they are blocking is malicious first, and stop blocking genuine customers.

  • panchicore April 14, 2011, 2:15 am

    [emerg]: unknown directive “deny” in blockips.conf

    • p0rsche December 26, 2011, 6:55 am

      put
      include blockips.conf
      inside of http brackets:
      http {
      include blockips.conf
      #other options..
      }

  • Duhec July 23, 2011, 10:38 pm

    I have the same problem. Cant google it anyhow.
    unknown directive “deny”…

    Although nginx -V does not show any signs of “disinclussion” of the module. So I’m guessing its enabled? Any help appreciated.

  • Kelvin Loke October 5, 2011, 10:28 am

    My upstream load balancer use SNAT, so in Nginx it sees all source IP as load balancer IP.

    Is there a way in Nginx to find out the real IP of client browser in order to use ngx_http_access_module?

    Thanks!

    • nixCraft October 5, 2011, 12:41 pm

      Use X-Real-Ip when request comes from another proxy or L7 load balancer. See how to install and configure HttpRealIpModule.

  • wayne August 30, 2012, 6:59 pm

    Excellent post. I already knew how to use the deny / allow, but didn’t know you could include other files. Idea’s are now brewing in my head.

  • bill April 27, 2013, 11:36 am

    Very interesting article. I notice lots of entries in my access log such as the following
    from this morning: 79.142.224.144

    \xFB\x81\xF1`\xC7k\x12L\x09PS\xB8\xDB\xD0\xAC9\xF5 \xE4k\xB0\x80\x929\xCA\x8E\x93e\xF3\xFEf$\x1B\x87z7\x8C\x96Iy\xB1L/K\xB6&\x12\xC3}\x02J\x1E\xBF\xDE\x22\xE5\xA7\xE82\xD7\xE1\xFDo\xF6\x05o\xCC\xCBE&" 400 172 "-" "-"
    I presume these are attempts to hack into my site. If so, is there a way to block all attempts which use this type of string. Many thanks, Bill
    
  • Peter August 22, 2013, 1:05 pm

    I did that but it won’t works. no error but i can visit the site with the block ip. I’m using latest ver of nginx.

    have you tested it yourself?

  • Harry DS Alsyundawy December 20, 2013, 12:47 pm

    Excellent post. Tested & Working … Thx

  • Anisuzzaman Khan July 26, 2014, 1:58 pm

    Hi nixcraft, it might be an off-topic but I really need to know about the ip address formatting. On your example you have used “allow 91.212.65.0/24″

    Does it mean that ip 91.212.65.0 to 91.212.65.24 will be allowed for that specific location? My current IP address is xx.xx.xx.223. When I set something like xx.xx.xx.0/230 nginx through me an error that says. invalid parameter “xx.xx.xx.0/230″

    What is the real deal here?
    Thanks!

  • ade January 2, 2015, 11:41 am

    I get the same problem. I can specify one IP address ok but when I try a range of IPs like:

    allow 172.16.0.64/100;

    I get invalid parameter. Why is this? I want to allow local lan not just one IP address

Leave a Comment