HowTo: Nginx Block User Agent

How do I block a http user agent or a software agent using Nginx web server under Linux or Unix like operating systems?

You can block any http user agents with GET / POST requests that scrape your content or try to exploit software vulnerability. Use the following syntax. Edit /usr/local/nginx/conf/nginx.conf file, enter:
# vi /usr/local/nginx/conf/nginx.conf
In this example, block http user agent called wget:

ADVERTISEMENTS

## Block http user agent - wget ##
if ($http_user_agent ~* (Wget) ) {
   return 403;
}
 
## Block Software download user agents ##
     if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
            return 403;
     }

Save and close the file. Reload nginx web server, enter:
# service nginx reload
OR
# /usr/local/nginx/sbin/nginx -s reload

How do I block multiple http user agents?

Use the following syntax:

if ($http_user_agent ~ (agent1|agent2|Foo|Wget|Catall Spider|AcoiRobot) ) {
    return 403;
}

Case insensitive blocking: ~* vs ~

Please note the ~* makes it case insensitive as opposed to just a ~:

### case sensitive http user agent blocking  ###
if ($http_user_agent ~ (Catall Spider|AcoiRobot) ) {
    return 403;
}
### case insensitive http user agent blocking  ###
if ($http_user_agent ~* (foo|bar) ) {
    return 403;
}

See also:

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
10 comments… add one
  • sam Nov 1, 2012 @ 18:56

    How do you put another condition instead of return? can you deny all and only allow a certain ip/subnet with those user agents to go through?

  • Sam Nov 1, 2012 @ 20:49

    How do you put another condition instead of return? can you deny all and only allow a certain ip/subnet with those user agents to go through? any example?

  • cerb Apr 27, 2014 @ 19:51

    i get the following error : “nginx: [emerg] “if” directive is not allowed here in /etc/nginx/nginx.conf:”
    any thoughts?

    • Nigel May 7, 2014 @ 13:57

      You need to make sure your if statement is in the server block.

  • cerb May 22, 2014 @ 18:55

    Thanks Nigel, that did the trick.
    its working perfectly now.

  • Range Dec 20, 2014 @ 8:50

    What is server block meaning ?
    I got the same problem nginx: [emerg] “if” directive is not allowed here

  • John Doe May 28, 2016 @ 4:35

    Question, is how to block a block that spoofs its user-agent, where it’s clear that the user agent is spoofed by the Comments token.
    i.e. the following user-agent string:
    “Mozilla/5.0 (compatible; ACHE/Unknown Version; +https://github.com/ViDA-NYU/ache; )”
    Where we don’t want to be blocking by Mozilla/5.0, but rather want to be blocking by the entire string. (i.e. how to make the instruction look for “ACHE/Unknown Version” within the comments token of the user string.)

    • Mark Nov 10, 2016 @ 20:06

      Thats the real question, what’s the point of blocking useragent when every bot uses Mozilla/5.0, and after that some random shi.t

  • nikhil Aug 29, 2017 @ 14:51

    Even we block http agent here (in my case its Jorgee) ,
    how can we deny it, even without returning 403 for the request.

    • 🐧 Vivek Gite Aug 29, 2017 @ 21:20

      403 is denying it. It won’t able to do anything else on your server.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.