NGINX – Allow access only to certain IPs

Nginx has a nice module that not many people know about, it basically enables us to allow or deny access to directories served by the webserver. The module is named ngx_http_access_module to allow or deny access to IP address. The syntax looks like this:

location / {
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all;
}

The rules are checked in sequence from top to bottom until the first match is found. In this particular example subnets 10.1.1.0/16 and 192.168.1.0/24 are allowed with the exception of 192.168.1.1.

IPv6 range 2001:0db8::/32 is also allowed, rest of the world is denied access.

So, how to use this to secure your site?

Your access list should be included in the nginx.conf file but you should never add the IP directly into that file, instead you should create a blocklist file with all the IP’s that I want to block or allow and include this file into the nginx.conf file.

That way you can add the file without being root and the file is checked every time a user tries to access the website.

Here it goes, first of we need to edit the nginx.conf file once and for all.

nano /etc/nginx/nginx.conf

 Find the http sectionand add the following lines inside that block

### Include a blocklist file
include /home/mikho/nginx-blockips-inthisfile.conf;

Save and exit with Ctrl+X

Time to create the include file itself.

nano /home/mikho/nginx-blockips-inthisfile.conf

add IPs as you wish, if there is no explicit deny row, it will allow the connection:

deny 192.168.1.1;
deny 192.168.1.2;
deny 192.168.2.1/24;

if you want it to work the other way around and deny everyone that is NOT explicitly allowed in the file you could add these lines:

# allow the internal subnet 192.168.1.0/24
allow 192.168.1.0/24;
# drop rest of the world
deny all;

When you are done, Save and Exit with Ctrl+X.

test the configuration for spelling errors other configuration errors with:

/etc/init.d/nginx configtest

If you get an error message, troubleshoot the error and test again until everything is fine.

Reload the configuration with:

/etc/init.d/nginx force-reload

Try it out from different IPs and see the difference.

Customize the HTTP 403 Forbidden Error Message

 

The default 403 error page is, well very “default” and plain so let’s create something nicer.

create an html file in your webroot folder that we should load when the error occurs, paste this into the file:

<html>
<head><title>Error 403 – Access denied!</title></head>
<body>
You do not have access to this page. There’s no need to try again.
</body>
</html>

then edit your Nginx config file and add this

error_page 403 /error403.html;
location /error403.html {
allow all;
}

inside the server block. The example above tells Nginx to display the file error403.html everytime a 403 error occurs. We do need to make the exemption in the configuration file that everyone will be allowed to read this file, otherwise a default 403 error page would be displayed.

Now you know how to easily block access to your website and only allow a few selected IPs.