≡ Menu

Nginx Block And Deny IP Address OR Network Subnets

How do I block or deny access based on the host name or IP address of the client visiting website under nginx web server?

Nginx comes with a simple module called ngx_http_access_module to allow or deny access to IP address. The syntax is as follows:

deny IP;
deny subnet;
allow IP;
allow subnet;
# block all ips
deny    all;
# allow all ips 
allow    all;

Note rules are checked in the order of their record to the first match.

How Do I Configure Nginx To Block IPs?

Edit nginx.conf file, enter (note my nginx path is set to /usr/local/nginx/, replace this according to your setup):
# cd /usr/local/nginx/conf/
# vi nginx.conf

Add the following line in http section:

## Block spammers and other unwanted visitors  ##
 include blockips.conf;

Save and close the file. Finally, create blockips.conf in /usr/local/nginx/conf/, enter:
# vi blockips.conf
Append / add entries as follows:

deny 1.2.3.4;
deny 91.212.45.0/24;
deny 91.212.65.0/24;

Save and close the file. Test the config file, enter:
# /usr/local/nginx/sbin/nginx -t
Sample outputs:

the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successful

Reload the new config, enter:
# /usr/local/nginx/sbin/nginx -s reload

How Do I Deny All and Allow Only Intranet/LAN IPs?

Edit config file as follows:

location / {
  # block one workstation
  deny    192.168.1.1;
  # allow anyone in 192.168.1.0/24
  allow   192.168.1.0/24;
  # drop rest of the world 
  deny    all;
}

Granted access to network 192.168.1.0/24 with the exception of the address 192.168.1.1.

How Do I Customize HTTP 403 Forbidden Error Messages?

Create a file called error403.html in default document root, enter:
# cd /usr/local/nginx/html
# vi error403.html

<html>
<head><title>Error 403 - IP Address Blocked</title></head>
<body>
Your IP Address is blocked. If you this an error, please contact webmaster with your IP at webmaster@example.com
</body>
</html>

If SSI enabled, you can display the client IP easily from the html page itself:

Your IP Address is <!--#echo var="REMOTE_ADDR" --> blocked.

Save and close the file. Edit your nginx.conf file, enter:
# vi nginx.conf

# redirect server error pages to the static page
 error_page   403  /error403.html;
 location = /error403.html {
         root   html;
 }

Save and close the file. Reload nginx, enter:
# /usr/local/nginx/sbin/nginx -s reload

See also:

References:

Share this tutorial on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:



{ 19 comments… add one }
  • KKKKK April 14, 2010, 11:30 am

    I am not a administrator. how i can stop 403 error..
    Please tell me..
    My all downloading is block and e found error 403 & 404..please solve it.

    • nixCraft April 14, 2010, 11:50 am

      You can’t, it is a server side configuration. Only server admin can configure and allow or deny access.

  • Khupcom November 5, 2010, 9:19 pm

    Its working good, but how to redirect blocked IP to 404 page?

  • Camella April 12, 2011, 1:21 pm

    How do I get Live Journal to unblock my IP Adress? Administrators need to make sure that the IP Address that they are blocking is malicious first, and stop blocking genuine customers.

  • panchicore April 14, 2011, 2:15 am

    [emerg]: unknown directive “deny” in blockips.conf

    • p0rsche December 26, 2011, 6:55 am

      put
      include blockips.conf
      inside of http brackets:
      http {
      include blockips.conf
      #other options..
      }

  • Duhec July 23, 2011, 10:38 pm

    I have the same problem. Cant google it anyhow.
    unknown directive “deny”…

    Although nginx -V does not show any signs of “disinclussion” of the module. So I’m guessing its enabled? Any help appreciated.

  • Kelvin Loke October 5, 2011, 10:28 am

    My upstream load balancer use SNAT, so in Nginx it sees all source IP as load balancer IP.

    Is there a way in Nginx to find out the real IP of client browser in order to use ngx_http_access_module?

    Thanks!

    • nixCraft October 5, 2011, 12:41 pm

      Use X-Real-Ip when request comes from another proxy or L7 load balancer. See how to install and configure HttpRealIpModule.

  • wayne August 30, 2012, 6:59 pm

    Excellent post. I already knew how to use the deny / allow, but didn’t know you could include other files. Idea’s are now brewing in my head.

  • bill April 27, 2013, 11:36 am

    Very interesting article. I notice lots of entries in my access log such as the following
    from this morning: 79.142.224.144

    \xFB\x81\xF1`\xC7k\x12L\x09PS\xB8\xDB\xD0\xAC9\xF5 \xE4k\xB0\x80\x929\xCA\x8E\x93e\xF3\xFEf$\x1B\x87z7\x8C\x96Iy\xB1L/K\xB6&\x12\xC3}\x02J\x1E\xBF\xDE\x22\xE5\xA7\xE82\xD7\xE1\xFDo\xF6\x05o\xCC\xCBE&" 400 172 "-" "-"
    I presume these are attempts to hack into my site. If so, is there a way to block all attempts which use this type of string. Many thanks, Bill
    
  • Peter August 22, 2013, 1:05 pm

    I did that but it won’t works. no error but i can visit the site with the block ip. I’m using latest ver of nginx.

    have you tested it yourself?

  • Harry DS Alsyundawy December 20, 2013, 12:47 pm

    Excellent post. Tested & Working … Thx

  • Anisuzzaman Khan July 26, 2014, 1:58 pm

    Hi nixcraft, it might be an off-topic but I really need to know about the ip address formatting. On your example you have used “allow 91.212.65.0/24”

    Does it mean that ip 91.212.65.0 to 91.212.65.24 will be allowed for that specific location? My current IP address is xx.xx.xx.223. When I set something like xx.xx.xx.0/230 nginx through me an error that says. invalid parameter “xx.xx.xx.0/230”

    What is the real deal here?
    Thanks!

  • ade January 2, 2015, 11:41 am

    I get the same problem. I can specify one IP address ok but when I try a range of IPs like:

    allow 172.16.0.64/100;

    I get invalid parameter. Why is this? I want to allow local lan not just one IP address

  • TiTex September 23, 2015, 7:34 am

    Does anybody know a solution for a setup like:
    – i have 100+ vhosts
    – i have one htaccess file with all the users/passwords for basic auth
    – for some of the vhosts , i want it to set so that for some specific vhosts only one or more specific users from htaccess file would have access , and i don’t want to create another htaccess file for those vhosts.

    this is the relevant part from my active apache2 configuration that i want to convert to nginx

    AuthUserFile /var/htpasswd/htpasswd
    AuthType Basic
    AuthName “Auth Required”
    Satisfy Any

    Order Deny,Allow
    Deny from all
    Allow from x.x.x.x
    Allow from x.x.x.x
    Require user user_name

  • Wolfram December 28, 2015, 10:29 am

    The /24 is not a range like 0..24. It specifies a bitmask, in this case the first 24 bits should be relevant. As there are 8 bits between each dot of an IP adress, this means that the first three numbers are relevant and the number after the last dot may be anything from 0 to 255. So you should be fine because 91.212.65.0/24 covers evrerything form 91.212.65.0 to 91.212.65.255
    See https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation

  • LAYSHA December 29, 2015, 10:33 pm

    Unblock Smallworlds i can’t get on the website now i want my ip address back

  • Ali October 12, 2016, 12:45 am

    Hello there,

    I have 5 servers running behind load balancers.
    What is the best way to implement this configuration? NFS storage? OR rsync to sync the file?

    Please advise.

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">


   Tagged with: , , , , , , , , , , , , , , , , , ,