Nginx allow/deny not working (403 Forbidden)
When viewing the directories containing allow/deny directives from any IP address, I get a 403 Forbidden error.
That's exactly what you told nginx to do ...
You are denying everything except IPs 10.1.1.28
and 10.0.1.38
.
I'm new to nginx... does anything in my configuration look incorrect?
How can we know ? You don't even explain what you are trying to do ...
Related videos on Youtube
user671460
Updated on September 18, 2022Comments
-
user671460 almost 2 years
I am attempting to set some allow/deny directives within nginx for a few subfolders on my server. I am modifying the /etc/nginx/sites/enabled/default file, which is listed below:
server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; client_max_body_size 20M; root /usr/share/nginx/html; index index.php index.html index.htm; # Make site accessible from http://localhost/ server_name localhost; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. #try_files $uri $uri/ =404; try_files $uri $uri/ /index.php?$args; # Uncomment to enable naxsi on this location # include /etc/nginx/naxsi.rules } location /nothingtosee { auth_basic "Closed Website"; auth_basic_user_file /etc/nginx/pma_pass; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_read_timeout 240; } location /squirrelmail { root /usr/share/; index index.php index.html index.htm; location ~ ^/squirrelmail/(.+\.php)$ { try_files $uri =404; root /usr/share/; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; } location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /usr/share/; } } location /webmail { rewrite ^/* /squirrelmail last; } location /nginx_status { stub_status on; access_log off; allow 10.1.1.28; deny all; } location /ill { allow 10.1.1.28; allow 10.0.1.38; deny all; } # Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests #location /RequestDenied { # proxy_pass http://127.0.0.1:8080; #} #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # #error_page 500 502 503 504 /50x.html; #location = /50x.html { # root /usr/share/nginx/html; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini # # # With php5-cgi alone: fastcgi_pass 127.0.0.1:9000; # # With php5-fpm: # fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi_params; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #}}
When viewing the directories containing allow/deny directives from any IP address, I get a 403 Forbidden error. All directories without allow/deny works fine.
I'm new to nginx... does anything in my configuration look incorrect?
THANKS!
-
user671460 over 9 yearsI would like to deny access to /ill to everyone except 10.1.1.28 and 10.1.1.38. With the configuration listed above, I get a 403 error from everywhere, including .28 and .38.
-
Xavier Lucas over 9 years@user671460 Edit your post with curl's request and reply and relevant access log line, and error log content.
-
user671460 over 9 years2015/03/23 12:48:46 [error] 2915#0: *1 access forbidden by rule, client: xx.xxx.xx.110, server: localhost, request: "GET /ill/ HTTP/1.1", host: "test.yourdomain.org" -- If I access it using it's internal IP (10.1.1.194/ill). the allow/deny works correctly. If I access it using our test domain (test.yourdomain.org/ill), it uses xx.xxx.xx.110. I apologize for not being able to explain this better, but I do appreciate your help.
-
Xavier Lucas over 9 years@user671460 So your IP address when testing is
xx.xxx.xx.110
not10.1.1.28
nor10.0.1.38
. Not an nginx issue. -
wurtel over 9 yearsSo add xx.xxx.xx.110 to the allow list, simple.