SoFunction
Updated on 2025-05-12

Nginx configuration allows and deny instructions use

introduce

In the Nginx configuration,allowanddenyThe instruction is used for IP address-based access control, helping administrators to flexibly manage resource access rights. This article will combine configuration syntax, priority rules, application scenarios and optimization techniques to comprehensively analyze the usage methods of these two instructions.

  • allow: Allow access to the specified IP address or network segment.
  • deny: Prohibit the specified IP address or network segment access.

Instructions introduction and basic syntax

allowanddenyBelongs tongx_http_access_moduleModules, which are integrated in Nginx by default (unless passed at compile time--without-http_access_moduleDisabled). The syntax is as follows:

allow <IPaddress|CIDR|unix: | all>;
deny <IPaddress|CIDR|unix: | all>;
  • IP address: Supports IPv4 (such as192.168.1.1) and IPv6 (such as2001:0db8::/32)。
  • CIDR: Indicates IP segment (such as192.168.1.0/24)。
  • unix:: Allow or disable Unix domain socket access (Nginx 1.5.1+ required).
  • all: Match all addresses.

Priority and execution order

Nginx adopts"Sequence first, first match"Rules:

  • Check rules one by one in configuration order, effective immediately after matching the first item, and subsequent rules are ignored.
  • All access is allowed by default, unless explicitly useddeny all;Global rejection.

Example Analysis

location / {
    deny 192.168.1.1;        # Reject a single IP    allow 192.168.1.0/24;    # Allow the entire network segment    deny all;                # Denied all other IPs}
  • 192.168.1.1Match the first itemdeny, directly refuse.
  • Other IPs in the network segment (such as192.168.1.2) MatchallowAfterwards release.
  • Non-network IP (such as10.0.0.1) Finallydeny allreject.

Typical application scenarios

Restrict management background access

location /admin {
    allow 192.168.1.0/24;
    deny all;
    error_page 403 /custom_403.html;  # Customize the error page}

Only allow intranet access/admin, other IPs return 403 and jump to the custom page.

Whitelist Control API Interface

location /api {
    allow 203.0.113.5;
    deny all;
    proxy_pass http://backend;
}

Only allow specific IPs to access the API, preventing unauthorized calls.

Differentiated control by path

location /public {
    allow all;
}

location /private {
    allow 10.0.0.0/8;
    deny all;
}

Different paths set independent access policies, taking into account flexibility and security.

Advanced configuration tips

Real IP acquisition in reverse proxy environment

When Nginx is behind the agent, you need to passX-Forwarded-ForGet the real client IP:

set_real_ip_from 10.0.0.0/8;   # Trusted proxy server IP segmentreal_ip_header X-Forwarded-For;
real_ip_recursive on;           # Exclude trusted proxy IP and obtain real client IP

Avoid misjudging the proxy server IP as the client address.

Optimize performance using geo module

When large-scale IP rules,geoModules can improve matching efficiency:

geo $blocked_ip {
    default 0;
    192.168.1.0/24 1;
    10.0.0.5 1;
}

server {
    if ($blocked_ip) {
        return 403;
    }
}

Predefined IP matching status to reduce dynamic rule resolution overhead.

Dynamic ban and automation

CombinedFail2banoriptablesAutomatically block malicious IP:

  • Log monitoring: Configure Nginx to record access logs.
  • Rule linkage: Fail2ban dynamically updates the Nginx blacklist file after analyzing the log, throughincludeInstruction loading.

FAQs and Pit Avoidance Guide

The error in the order of rules leads to a vulnerability

Error example:

allow all;
deny 192.168.1.1;  # This rule is invalid!

The correct writing method should be rejected first and then allowed:

deny 192.168.1.1;
allow all;

Reverse proxy not configured with real IP

Not setreal_ip_headerhour,allow/denyIt may be based on the proxy server IP rather than the client IP, resulting in an error ban.

IPv4/IPv6 compatibility issues

If you need to independently control IPv6, you need to specify explicitly:

allow 2001:0db8::/32;
deny 2001:0db8::1;

Performance optimization suggestions

  • Merge rules: Use CIDR to reduce entries, such as multiple/24Merge into/16
  • File management:passincludeIntroduce external rule files to improve maintainability:
    include /etc/nginx//;
deny all;
  • Avoid overuseififInstructions may cause performance problems, priority islocationorserverConfigure rules in blocks.

Summarize

allowanddenyIt is the core instruction for Nginx to implement IP access control, and it is important to note:

  • Sequence determines priority, the rules are executed from top to bottom.
  • Reverse proxy needs to be configured with real IP, avoid misjudgment.
  • Performance optimization: Merge rules, usegeoModules and dynamic tools are linked.

By rationally designing rules, sensitive interfaces can be effectively protected and malicious traffic can be resisted, while maintaining efficient and stable services.

This is the article about the use of Nginx configuration allow and deny instructions. For more information about Nginx configuration allow and deny instructions, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!