nginx Block IP based on URI in one 'location'
Solution 1
Like coredump said, no, use multiple locations.
But it is possible to make the contents of the location
blocks less repetitive. The key here is a named location
block which contains the root
and proxy_...
directives.
For example:
location / {
try_files $uri @proxy;
}
location ~ /(abc|def|ghi) {
allow 10.0.0.0/8;
allow 1.2.3.4;
deny all;
try_files $uri @proxy;
}
location @proxy {
root /var/www/docs;
proxy_pass http://backend;
proxy_buffering on;
proxy_buffer_size 64k;
proxy_buffers 256 64k;
}
And probably even better would be to place the root
directive outside all the location
blocks.
Solution 2
First you have to define a variable that will hold your IP filters. This goes into the http section of the nginx config:
map $remote_addr (or $http_x_forwarded_for if behind a proxy) $allowed {
default deny;
~\s*111.222.333.444$ allow;
~\s*333.444.555.*$ allow;
}
then in the server section you write the if construct and filter the access location by the contents of the variable $allowed:
location / {
if ( $allowed = "deny" ) { return 403; }
#...
}
Solution 3
Usually in such cases can help "nested locations" ...
location / {
root /var/www/docs;
allow all;
location /admin {
deny 1.2.3.4;
}
}
... but not all directives inherited in nested locations. Sadly, but exactly proxy_pass
, fastcgi_pass
and similar are not inherited... So solution proposed earlier (with @namedlocation) is correct in this case. You can also use a directive include
for "proxy_pass block", of course.
Solution 4
No. Use multiple locations
, it may look ugly but you will end with less chance of if craziness.
Also remember that nginx processes first the regex matches and if none matches it tries the most specific literal location, being location /
kind of a catch all location. Knowing that you can maybe diminish the number of locations you need. Take a look at this doc to see how requests are processed.
Related videos on Youtube
Déjà vu
Updated on September 18, 2022Comments
-
Déjà vu over 1 year
There is currently a block of one location
/
location / { root /var/www/docs; proxy_pass http://backend; proxy_buffering on; proxy_buffer_size 64k; proxy_buffers 256 64k; }
that needs to be filtered by IP.
Ideally, in order to reduce the number of repetitions of the same directives in
location
, I would like to perform the test within thelocation
blocklocation / { if ($uri ~ '^/(abc|def|ghi)') { allow 10.0.0.0/8; allow 1.2.3.4; deny all; } root /var/www/docs; proxy_pass http://backend; proxy_buffering on; proxy_buffer_size 64k; proxy_buffers 256 64k; }
Unfortunately, it seems the
allow
/deny
directives cannot be used within aif
block."allow" directive is not allowed here in /etc/nginx/sites-enabled/mysite:20
Is there an elegant way to perform the test without repeating the
location
blocks?(like
location ~ /(abc|def|ghi) { allow 10.0.0.0/8; allow 1.2.3.4; deny all; ... 5 other lines root,proxy... } location / { ... 5 other lines root,proxy... }
)
-
Déjà vu about 13 yearsThanks. The if craziness looks like a nginx bug... Repeating the
location
directives ad nauseum for each case is contrary to the most elementary programming concepts. But it sounds like there no choice :-( -
coredump about 13 yearsRemember that
nginx
is a web server not a programming language :) On apache you would end with something close :) -
Déjà vu about 13 yearsI studied a bit the code of nginx, as it is a performance example. One thing I liked about nginx, is that it stands pretty far from apache... I don't think there (should be) is a separation between programming languages and configuration scripts. Unfortunately, long time existing tools like apache seem to show the way.
-
coredump about 13 years@ring I don't know, I like that you could not do what you wanted. It would be easier, but it would be harder to read and it could get very messy in some cases (not yours, but allowing it would open the doors to hell :))
-
HBruijn about 8 yearsWelcome to Server Fault! It looks like you may have the knowledge to provide good Answer here, but please consider reading How do I write a good Answer? in our help center and then revise the Answer. Your Commands/Code/Settings may technically be the solution but some explanation is welcome. Thanks in advance.
-
Mahmoud Khateeb over 6 yearsI am surprised this answer only got 1 vote, it should have loads of them. That's the most easy (and it's not a hack) way to do it!
-
joshmcode over 5 years@MahmoudKhateeb I am not very knowledgeable on Nginx but isn't using "if" within the location block discouraged? Or is it okay in this context because they are explicitly returning something?