Introduction
Nginx comes with a nifty module that allows us to allow or deny access to directories served by the webserver. The module is named ngx_http_access_module to allow or deny access to IP address. The syntax can look as follows:
|
1 2 3 4 5 6 7 |
location / { deny 192.168.1.1; allow 192.168.1.0/24; allow 10.1.1.0/16; allow 2001:0db8::/32; deny all; } |
The rules are checked in sequence from top to bottom until the first match is found.In the above example subnets 10.1.1.0/16 and 192.168.1.0/24 are allowed with the exception of 192.168.1.1.
IPv6 range 2001:0db8::/32 is also allowed, rest of the world is denied access.
How do I use this to secure my website?
Your access list should be included in the nginx.conf file but I never add the IP directly into that file, instead I create a blocklist file with all the IP’s that I want to block or allow and include this file into the nginx.conf file.
That way I can add the file without being root and the file is checked every time a user tries to access the website.
Here goes, first of we need to edit the nginx.conf file once and for all.
|
1 |
nano /etc/nginx/nginx.conf |
Find the http sectionand add the following lines inside that block
|
1 2 |
### Include a blocklist file include /home/mikho/nginx-blockips-inthisfile.conf; |
Save and exit with Ctrl+X
Time to create the include file itself.
|
1 |
nano /home/mikho/nginx-blockips-inthisfile.conf |
add IPs as you wish, if there is no explicit deny row, it will allow the connection:
|
1 2 3 |
deny 192.168.1.1; deny 192.168.1.2; deny 192.168.2.1/24; |
if you want it to work the other way around and deny everyone that is NOT explicitly allowed in the file you could add these lines:
|
1 2 3 4 |
# allow the internal subnet 192.168.1.0/24 allow 192.168.1.0/24; # drop rest of the world deny all; |
When you are done, Save and Exit with Ctrl+X.
test the configuration for spelling errors other configuration errors with:
|
1 |
/etc/init.d/nginx configtest |
If you get an error message, troubleshoot the error and test again until everything is fine.
Reload the configuration with:
|
1 |
/etc/init.d/nginx force-reload |
Try it out from different IPs and see the difference.
Customize the HTTP 403 Forbidden Error Message
The default 403 error page is pretty boring so let us create something a little nicer.
create a html file in your webroot folder that we should load when the error occurs, paste this into the file:
|
1 2 3 4 5 6 |
<html> <head><title>Error 403 - Access denied!</title></head> <body> You do not have access to this page. Do not try again. </body> </html> |
then edit your Nginx config file and add this
|
1 2 3 4 |
error_page 403 /error403.html; location /error403.html { allow all; } |
inside the server block. The example above tells Nginx to display the file error403.html everytime a 403 error occurs. We do need to make the exemption in the configuration file that everyone will be allowed to read this file, otherwise a default 403 error page would be shown.
From now on you know how to easily block access to your website and only allow a few selected IPs.
1 comment for “Nginx – IP based access control”