In the daily management of web servers, access restrictions are sometimes required to be restricted on specific IP addresses or IP segments to protect the security of the website. As a high-performance HTTP and reverse proxy server, Nginx provides flexible configuration options to achieve this requirement. This article will explain in detail how to use Nginx to block a single IP address and IP segment.
1. Block a single IP address
1.1 Edit Nginx configuration file
First, you need to edit the Nginx configuration file. Usually, this file is located in a file in the /etc/nginx/ or /etc/nginx/// directory. You can open it with any text editor, for example:
sudo nano /etc/nginx/
Or if you have multiple site configuration files, you can find the corresponding .conf file in the /etc/nginx// directory:
sudo nano /etc/nginx//
1.2 Add blocking rules
Add the following configuration to the server block or location block that needs to be restricted to access:
server {
listen 80;
server_name ;
location / {
#Other configurations...
# Block a single IP deny 192.168.1.100;
# Allow all other IPs allow all;
}
}
1.3 Save and test the configuration
After saving the file, use the following command to check if the Nginx configuration is correct:
sudo nginx -t
If the configuration is correct, restart Nginx to make the changes take effect:
sudo systemctl restart nginx
2. Block IP segments
2.1 Edit Nginx configuration file
Similarly, edit Nginx's configuration file:
sudo nano /etc/nginx/
or
sudo nano /etc/nginx//
2.2 Add blocking rules
Add the following configuration to the server block or location block that needs to be restricted to access:
server {
listen 80;
server_name ;
location / {
#Other configurations...
# Block IP segments deny 192.168.1.0/24;
# Allow all other IPs allow all;
}
}
2.3 Save and test the configuration
After saving the file, use the following command to check if the Nginx configuration is correct:
sudo nginx -t
If the configuration is correct, restart Nginx to make the changes take effect:
sudo systemctl restart nginx
3. Use Geo module to block multiple IP segments
For situations where multiple IP segments need to be blocked, Nginx's Geo module can be used to simplify configuration.
3.1 Edit Nginx configuration file
Edit Nginx's main configuration file /etc/nginx/, and define a geo block in the http block:
http {
geo $bad_ip {
default 0;
192.168.1.0/24 1;
10.0.0.0/8 1;
}
server {
listen 80;
server_name ;
location / {
if ($bad_ip) {
return 403;
}
#Other configurations... }
}
}3.2 Save and test the configuration
After saving the file, use the following command to check if the Nginx configuration is correct:
sudo nginx -t
If the configuration is correct, restart Nginx to make the changes take effect:
sudo systemctl restart nginx
With the above steps, you can easily block a single IP address or IP segment using Nginx. These configurations not only help improve the security of the website, but also effectively prevent malicious attacks. Nginx is a high-performance HTTP and reverse proxy server, which is often used in website load balancing, static file services and other scenarios. In some cases, you may need to block specific IP addresses or IP segments to prevent malicious access or protect server resources.
4. Method supplement
Block a single IP address
Assuming you need to block the IP address 192.168.1.100, you can add the following to the Nginx configuration file:
http {
# Define a restriction rule geo $bad_client {
default 0;
192.168.1.100 1;
}
server {
listen 80;
server_name ;
location / {
if ($bad_client) {
return 403;
}
#Other configurations }
}
}Block IP segments
Assuming you need to block IP segment 192.168.1.0/24, you can add the following to the Nginx configuration file:
http {
# Define a restriction rule geo $bad_client {
default 0;
192.168.1.0/24 1;
}
server {
listen 80;
server_name ;
location / {
if ($bad_client) {
return 403;
}
#Other configurations }
}
}Use the deny directive
In addition to using the geo module, you can also use the deny directive to block IP addresses or IP segments directly. For example:
1. Block a single IP address
server {
listen 80;
server_name ;
location / {
deny 192.168.1.100;
allow all;
#Other configurations }
}
2. Block IP segments
server {
listen 80;
server_name ;
location / {
deny 192.168.1.0/24;
allow all;
#Other configurations }
}
3. Multiple IP addresses and IP segments
If you need to block multiple IP addresses or IP segments, you can list them together:
server {
listen 80;
server_name ;
location / {
deny 192.168.1.100;
deny 192.168.1.101;
deny 192.168.1.0/24;
allow all;
#Other configurations }
}
Reload Nginx configuration
After modifying the configuration file, Nginx needs to be reloaded for the changes to take effect. You can use the following command:
sudo nginx -s reload
In this way, Nginx operates based on the new configuration file, blocking the specified IP address or IP segment. Hope these examples help you! If you have any other questions, feel free to ask. In Nginx, blocking a specific IP address or IP segment can be achieved by modifying the Nginx configuration file. This usually involves using allow and deny directives to control access. Here are the specific steps and example codes for how to block a single IP address and IP segment in Nginx.
Block a single IP address
Suppose you want to block the IP address 192.168.1.100, you can add the following content to the Nginx configuration file:
http {
#Other configurations...
server {
listen 80;
server_name ;
location / {
# Allow all IP access allow all;
# Block specific IPs deny 192.168.1.100;
#Other configurations... }
}
}Block IP segments
Suppose you want to block the IP segment 192.168.1.0/24, you can add the following content to the Nginx configuration file:
http {
#Other configurations...
server {
listen 80;
server_name ;
location / {
# Allow all IP access allow all;
# Block specific IP segments deny 192.168.1.0/24;
#Other configurations... }
}
}Allow access to specific IP or IP segments
If you want to allow only specific IP or IP segment access, you can use the allow directive to do so. For example, only 192.168.1.100 and 192.168.1.0/24 access is allowed:
http {
#Other configurations...
server {
listen 80;
server_name ;
location / {
# Denied all IP access deny all;
# Allow specific IPs allow 192.168.1.100;
# Allow specific IP segments allow 192.168.1.0/24;
#Other configurations... }
}
}Save and test the configuration
After modifying the Nginx configuration file, you need to save the file and reload Nginx for the changes to take effect. You can use the following command to test if the syntax of the configuration file is correct and reload Nginx:
sudo nginx -t sudo systemctl reload nginx
Or, if you are using a different system management tool, you can use the corresponding command to reload Nginx.
Things to note
Order is important: The order of allow and deny directives is important. Nginx matches in the order in which they appear, and once a rule is matched, further checks will be stopped.
Test Impact: Before applying these rules in a production environment, it is recommended to test in a test environment to ensure that legitimate users are not accidentally blocked.
Logging: If you need to record a banned request, you can add the corresponding record in Nginx's log configuration.
This is the end of this article about how Nginx blocks IP and IP segments. For more information about Nginx blocking IP and IP segments, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!