NGINX Restrict Access to URL – Ubiq BI
Sometimes you may need to limit access to URL on your website. In this article, we will look at how to restrict access to URL in NGINX.
How to Restrict Access to URL in NGINX
Here are the steps to restrict access to URL in NGINX.
1. Open NGINX configuration file
Open terminal and run the following command to open NGINX configuration file.
$ sudo vi /etc/nginx/
If you have configured separate virtual hosts for your website (e. g), such as /etc/nginx/sites-enabled/ then open its configuration with the following command
$ sudo vi /etc/nginx/sites-enabled/
Also read: How to Configure NGINX Log Rotation
2. Restrict Access to URL
Let us say you want to limit access to / URL by IP 45. 34. 21. 10.
In that case add the Deny directive
Deny 45. 10
in the location block for /, in your NGINX server configuration.
location / {…
deny 45. 10;… }
If you want to restrict access to URL by all IPs except one known IP 45. 10, then add the following Deny and Allow statements as shown.
Allow 45. 10;
Deny All;… }
The allow statement will allow access to specified IP and deny statement will limit access to all other IPs.
Also read: How to Fix NGINX Worker Connections Not Enough
If you want to limit access to URL for multiple IPs add separate Deny statements, one for each IP as shown.
Deny 45. 10;
Deny 54. 23. 10. 13;… }
If you want to limit access to URL for an IP range such as 45. 0-45. 255 then specify IP range using CIDR notation.
Deny 45. 0/24;… }
Also Read: How to Disable ETag in NGINX
3. Restart NGINX Server
Finally, run the following command to check syntax of your updated config file.
$ sudo nginx -t
If there are no errors, run the following command to restart NGINX server.
$ sudo service nginx reload #debian/ubuntu
$ systemctl restart nginx #redhat/centos
Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it today!
About Author
Nginx block access to url – Server Fault
I am using concrete5 and I need to disable /login url on my website.
Nginx is my server.
I tried so far to allow access only to specified ips:
location /login {
allow 5. 69. 34. 213;
allow 5. 80. 29. 130;
deny all;}
But it did not work. It blocks all ips and the specified too. What am I doing wrong?
Update
My conf file is:
server {
listen 80;
server_name;
return 301 request_uri;}
#HTTPS server
listen 443 ssl;
root /var/www-staging/my_website/public_html;
gzip on;
gzip_proxied any;
gzip_types text/plain text/html text/css application/json application/javascript application/x-javascript text/javascript text;
ssl on;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;
ssl_session_timeout 5m;
add_header Strict-Transport-Security “max-age=31536000”;
ssl_protocols TLSv1 TLSv1. 1 TLSv1. 2;
ssl_ciphers “ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:! aNULL:! eNULL:! EXPORT:! DES:! RC4:! MD5:! PSK:! aECDH:! EDH-DSS-DES-CBC3-SHA:! EDH-RSA-DES-CBC3-SHA:! KRB5-DES-CBC3-SHA”;
ssl_prefer_server_ciphers on;
# mkdir /etc/nginx/ssl
# openssl dhparam -out /etc/nginx/ssl/ 2048
ssl_dhparam /etc/nginx/ssl/;
location /templates {
alias /var/www-staging/my_website/templates/dist;}
location / {
try_files $uri /$request_uri;}
location ~ \($|/) {
fastcgi_split_path_info ^(. +\)(/. +)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
fastcgi_pass unix:/run/php/;
include fastcgi_params;}
error_log /var/log/nginx/;
access_log /var/log/nginx/;}
asked Feb 16 ’17 at 16:38
George MylonasGeorge Mylonas1811 gold badge1 silver badge5 bronze badges
3
nginx documentation explains your case:
nginx first searches for the most specific prefix location given by
literal strings regardless of the listed order. In the configuration
above the only prefix location is “/” and since it matches any request
it will be used as a last resort. Then nginx checks locations given by
regular expression in the order listed in the configuration file. The
first matching expression stops the search and nginx will use this
location. If no regular expression matches a request, then nginx uses
the most specific prefix location found earlier.
so following this statement /login only matches if there is no regex that matches. If you access /login/ for example, your location ~ \($|/) wins the election on who gets to handle this request.
SOLUTION 1
To fix your problem set this location ABOVE the php location
location ~* /login {
SOLUTION 2
use
location ^~ /login {
explains that ^~ disables regex matching if this prefix string location matches.
answered Feb 17 ’17 at 15:04
I solved the problem myself. I have a vagrant machine for that project where I could debug it step by step. PHP was making a curl request to an API which would take forever. I had to set a timeout to handle such a behaviour:
curl_setopt($ch, CURLOPT_TIMEOUT, 6);
$response = curl_exec($ch);
and now check if $response if false ( no result)
if (! $response) {
$this->writeFile(‘FALSE ‘. $ip. ‘ ‘. $session);} else {
$this->writeFile(‘SUCCESS ‘. $session);}
That solved the problem. fpm socket was a misleading error. Rookie mistake…
I must find out how to talk to that API, apparently developers changed something last night and probably introduced a bug. It was working all this time.
Overmind2, 8322 gold badges12 silver badges22 bronze badges
answered Mar 1 ’17 at 14:46
Not the answer you’re looking for? Browse other questions tagged nginx or ask your own question.
Nginx: Block URL Access (wp-admin/wp-login.php) To All …
I am the small business owner and runs my own web-site. I have noticed increased cracking activity against by blog. What’s the best way to block WordPress URLs such as and in the nginx web-server?
Tutorial details
Difficulty level Advanced Root privileges Yes Requirements Linux/Unix with Nginx Est. reading time 3 minutes
Attacks on WordPress based sites are not new. However, recently many news outlets reported that there’s a fairly large brute force attack happening on WordPress users on multiple hosts. The attacker is brute force attacking the WordPress administrative portals (), using the username “admin” and trying thousands of passwords.
Nginx block access WordPress administrative portals
Edit the file, enter:
# vi /etc/nginx/
Append the following all and deny all nginx config directives in server context:
location ~ ^/(wp-admin|wp-login\) {
allow 1. 2. 3. 4;
deny all;}
If your blog located in /blog/ sub-directory, try:
location ~ ^/blog/(wp-admin|wp-login\) {
Replace 1. 4 with your actual static IP address. Here is a sample config file
upstream apachebackend {
server 192. 168. 1. 10:8080 weight=6;
server 192. 11:8080 weight=5;
server 192. 12:8080 weight=5;
server 192. 13:8080 weight=5;
#server 127. 0. 1:8080 weight=1;}
server {
access_log /var/log/nginx/;
error_log /var/log/nginx/;
index;
listen 75. 126. 153. 206:80 default;
root /usr/share/nginx/html;
server_name
## PROXY – Web
location / {
proxy_pass apachebackend;
proxy_next_upstream error timeout invalid_header _500 _502 _503;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
deny all;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}
Restart / reload the nginx web-server, enter:
# /etc/init. d/nginx reload
Test it
Visit your blog url such as or Sample outputs:
Fig. 01: Nginx blocking WordPress Admin Portal
Patreon supporters only guides
How do I customize 403 error page?
See create a custom static HTTP 404 or HTTP 403 error page for more information.
Other recommendations
First, set SSL certificate on nginx. Edit the file and append the following directive:
define(‘FORCE_SSL_ADMIN’, true);
Save and close the file. The FORCE_SSL_ADMIN option force WordPress to secure logins and the admin area so that both passwords and cookies are never sent in the clean over. Use the curl command to see headers, enter:
$ curl -I HTTP/1. 1 302 Found
Server: nginx
Date: Sun, 14 Apr 2013 09:01:44 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Cookie
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Location:
I also suggest that you add the following firewall rules so that SSL part is only accessible to you:
## Open port 443 to you only ##
## Allow your home/office static IP 1. 4 at port 443
/sbin/iptables -A INPUT -s 1. 4 -m state –state NEW -p tcp –dport 443 –destination YOUR-Web-Server-SSL-IP-HERE -j ACCEPT
## Make sure you DROP the rest of the world for 75. 203 for TCP port 443 ###
##/sbin/iptables -A INPUT -s 0/0 -m state –state NEW -p tcp –dport 443 –destination YOUR-Web-Server-SSL-IP-HERE -j DROP
See also
Nginx block and deny IP address OR network subnets.
Twenty Nginx web-server best security practices for more information.
ADVERTISEMENT
CategoryList of Unix and Linux commandsDocumentationhelp • mandb • man • pinfoDisk space analyzersdf • duf • ncdu • pydfFile Managementcat • cp • less • mkdir • more • treeFirewallAlpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16. 04 • Ubuntu 18. 04 • Ubuntu 20. 04Linux Desktop AppsSkype • Spotify • VLC 3Modern utilitiesbat • exaNetwork UtilitiesNetHogs • dig • host • ip • nmapOpenVPNCentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18. 04Package Managerapk • aptProcesses Managementbg • chroot • cron • disown • fg • glances • gtop • jobs • killall • kill • pidof • pstree • pwdx • time • vtopSearchingag • grep • whereis • whichShell builtinscompgen • echo • printfText processingcut • revUser Informationgroups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • wWireGuard VPNAlpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20. 04
Frequently Asked Questions about nginx block url
How do I block NGINX?
Follow these steps to block an IP address.View the Nginx configuration file locations article to create your local /nginx/example.com directory.Create a file named access. conf in this /nginx/example.com directory.Add the contents from the following sections.Make sure to reload Nginx for the changes to take effect.May 13, 2021
How do I find my NGINX URL?
http { index index. html; server { server_name www.domain1.com; access_log logs/domain1. access. log main; root /var/www/domain1.com/htdocs; rewrite ^(/upload/banner/\d+/).Aug 25, 2016
How do I change my URL in NGINX?
Here are the steps to redirect location to another domain in NGINX.Open NGINX configuration file. If you are using NGINX’s main configuration file nginx.conf, without virtual hosts, then run the following command $ sudo vi /etc/nginx/nginx.conf. … Redirect Location to Another Domain. … Restart NGINX.Apr 28, 2020
