Hello, friends. In this post, you will learn about blocking IPs in Nginx. This allows you to have a very exhaustive control over the access to the server.
Nginx is one of the best web services available today. Its speed in processing requests makes it very popular among sysadmins. In addition to this, it has an enviable flexibility which makes it compatible with many situations.
There comes a point when you need to limit access to certain computers or IP addresses. This is useful in certain enterprise environments where not all computers must access certain applications or websites.
So let’s go.
Blocking IPs with Nginx
The ngx_http_access_module module allows limiting access to certain client addresses according to the Nginx Documentation.
This allows you to have allow and deny rules to control the IP addresses that can access certain Nginx server resources.
So let’s go through some configuration examples
Blocking an IP from accessing your site
In this case, it is required that an IP address cannot access your site. No way.
To achieve this, you have to open the site configuration file (ServeBlocks) or, as they say in Apache, Virtualhost and add something like this
location / {
deny [IP];
}In this way, access to the specified IP address is restricted to the root of the website. That is, the site itself.
You can specify the IP address in either IPv4 or IPv6 and Nginx will fully recognize it.
Then, save the changes and close the editor. And to apply the changes, you can restart the service.
sudo systemctl reload nginxBlock an IP address of a subdirectory
Occasionally, it happens that the limitation you want to impose is not so drastic, and you only would like to do it for a specific subdirectory.
In this case, you can also, by modifying the previous rule a bit, define this new directive.
location /subdirectory {
deny 3.4.5.6;
}In this case, the IP address 3.4.5.6 of the /subdirectory path is restricted. Again, you have to save the changes and then restart Nginx for it to take effect.
Allow access to a single IP address
Sporadically, we have to do the reverse process, and that is that we only have to allow access to one IP address and deny access to the rest.
You can do this by combining the deny and allow rules, where you can allow one and deny the rest,
location / {
allow 3.4.5.6;
deny all;
}In this case, access is allowed to the IP address 3.4.5.6 but denied to the rest. Therefore, it will only be accessible from a single IP address.
More example of Blocking IP in Nginx
There are other examples of using this situation. One of them is to restrict an IP address not to the whole site but to a subdomain.
In this case, you will have to edit not the location of the site but the more general server configuration
server {
server subdomain.unixcop.com;
deny 7.8.9.10;
}**Block IP ranges, *Block IP ranges*
Of course, you can also block several IP addresses or directly by ranges.
location / {
deny 192.168.1.1/24;
allow all;
}This way, you can quickly deny a range of IP addresses on a network and allow the rest.
Conclusion
Nginx is so flexible, with a few lines, you can block access to one or several IP addresses to your site.
