New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Restricting access @ Nginx [Solved]
I am using Nginx for years now and usually I have not had any problems but this one is rather driving me crazy.
I need to restrict access to a folder inside the document root to some IP addresses. So I did this inside the vHost:
location /restrictedfolder/ {
allow ip1;
allow ip2;
allow ipn;
deny all;
}
Now when I go to domain.com/restrictedfolder I get a 403 as expected with a IP address that is not whitelisted however if I go to a file inside that folder like index.php it opens up without any issues while it should also throw a 403 error message.
I even consulted the nginx docs even though I did this so many times before without any issues: https://www.nginx.com/resources/admin-guide/restricting-access/
Am I just dumb or?
Solution: https://www.lowendtalk.com/discussion/comment/1605149/#Comment_1605149
Comments
Did you try regular expressions? I think that would solve it.
No, I have not.
Could you help me out a bit? I never really tried regular expression on access restriction with any web server. Wild card * does not work unfortunately
.
I would imagine something like this to work, but it can be done a lot better:
I just tried it and it seems that this does not work at all as I can now fully access the sub folder "restrictedfolder" (like the rule has no effect at all).
I tried some expressions from https://bjornjohansen.no/block-access-to-php-files-with-nginx and it didn't work either. Same effect: the rules had no effect at all.
location ~ /restricted { allow 127.0.0.1; deny all; }You probably have a
locationhandling.phpfiles. Check out the Nginx docs for location because the order in which the locations are found has significance:In this case, you'll have to do a regular expression that matches both the folder and optionally files ending in .php. I'm thinking that something like @asf's suggestion should work. But be sure to read the docs so you can understand that where you put that directive in the conf file is important and will impact how Nginx handles the request.
With your first "solution" - did it only not affect *.php files, or every file in that folder?
Better:
location ^~ /restricted/ { allow 127.0.0.1; deny all; }"^~" is better because it prevents Nginx from further looking for another match, while just "~" will match the "first" RegEx or use static prefix
Any file and sub folder of restrictedfolder was viewable.
@asf & @JustAMacUser thanks I'll read more and try it out.
That works. Thank you.
@Nevil Can you share your whole config? location blocks in Nginx are not straight forward. From what you describe there seems to be a conflicting location block. The "^~" modifier should handle that as it prevents further searching for a location match. But I would check whole config for RegEx locations (e.g. for setting expire).
@TWo yes..
..and don't forget to add something like this inside the vHost if you run .php from that folder...
location ^~ /restrictedfolder { allow 127.0.0.1; allow 127.0.0.2; allow 127.0.0.3; deny all; location ~ \.php$ { include fastcgi.conf; fastcgi_pass php-backend; } }Like @JustAMacUser was assuming. The "~ .php$"
iswas matching every request which ends in .php, no matter of the path.Your location block for php is dangerous. You should either add sth. like "try_files $uri =404;" or disable cgi.fix_pathinfo