FAQ

Page Discussion Edit History

HttpAccessModule

Contents

Synopsis

This module provides a simple host-based access control.

Module nginx_http_access_module makes it possible to control access for specific IP-addresses of clients. Since nginx 08.22 IPv6 is supported.

Access rules are checked according to the order of their declaration. The first rule that matches a particular address or set of addresses is the one that is obeyed.

Example configuration:

location / {
  deny    192.168.1.1;
  allow   192.168.1.0/24;
  allow   10.1.1.0/16;
  allow   2620:100:e000::8001;
  deny    all;
}

In this example access is granted to networks 10.1.1.0/16 and 192.168.1.0/24 with the exception of address 192.168.1.1, which is denied access together with all other addresses as defined by the deny all rule that is matched last in this location block. In addition it allows one specific IPv6 address. All others would be denied.

Note that the order of the deny/allow is of the utmost importance. If you're coming from the Apache world you might be tempted to think that you can switch the access directives order and everything will work. In fact it doesn't. Switching the order in the above example has the result of denying access to all addresses. Consider the following incorrect situation:

location / {
  # This always returns a 403. Probably it isn't what you want.
  deny all;
  # These directives are never reached. Since there's deny all as the first one.
  deny    192.168.1.1;
  allow   192.168.1.0/24;
  allow   10.1.1.0/1
}

If you are using many access rules you should consider that the GeoIP module is a preferred alternative to the Access module.

Directives

allow

Syntax: allow address | CIDR | all
Default:
Context: http
server
location
limit_except
Reference:allow


Directive grants access for the network or addresses indicated.

deny

Syntax: deny address | CIDR | all
Default:
Context: http
server
location
limit_except
Reference:deny


Directive forbids access for the network or addresses indicated.

Tips & Tricks

The NginxHttpAccessModule can be used in conjunction with the error_page directive to redirect unauthorised visitors to an alternative site:

error_page  403  http://example.com/forbidden.html;
location / {
  deny    192.168.1.1;
  allow   192.168.1.0/24;
  allow   10.1.1.0/16;
  deny    all;
}

References

Original Documentation