Last updated on September 21st, 2021 at 10:58 am
Sometimes you may need to block IP addresses to protect your website from malicious attacks such as DOS & DDOS. Here’s how to easily block IP address in NGINX to restrict IP addresses or block access. You can use these steps for blocking/allowing IP addresses in NGINX.
How to Block IP Address in NGINX
Here are the steps to block IP address in NGINX.
You can easily block IP addresses, subnets and IP ranges using deny directive. Similarly, you can allow ip addresses, subnets and IP ranges using allow directive. You can place deny or allow directives in http, server or location context. You can even use a combination of deny and allow directives.
We will look at each of these use cases separately.
1. Open NGINX configuration file
If you are using NGINX’s main configuration file nginx.conf, without virtual hosts, then run the following command
$ sudo vi /etc/nginx/nginx.conf
If you have configured separate virtual hosts for your website (e.g www.website.com), such as /etc/nginx/sites-enabled/website.conf then open its configuration with the following command
$ sudo vi /etc/nginx/sites-enabled/website.conf
2. Block IP address in NGINX
There are multiple ways to block IP address in NGINX. We will look at each of them. If you want to block IP 45.43.23.21 for domain or your entire website, you can add the following lines in your configuration file.
deny 45.43.23.21;
The above lines will make NGINX deny IP 45.43.23.21.
Bonus Read : How to Whitelist IP Address in NGINX
Block IP address in NGINX for website or domain
Add the above lines in any of the http, server or location / blocks as shown below
http{
...
deny 45.43.23.21;
...
}
server{
...
deny 45.43.23.21;
...
}
location / {
deny 45.43.23.21;
}
Bonus Read : How to Redirect Location to Another Domain
Block IP Address in NGINX for subdomain
Let’s say you have two subdomains (blog.website.com and articles.website.com) with their NGINX config files at /etc/nginx/sites-enabled/blog.conf and /etc/nginx/sites-enabled/articles.conf
If you want to block IP address in NGINX for only 1 subdomain (e.g blog.website.com) then place the above-mentioned line in blog.conf file of that subdomain
$ sudo vim /etc/nginx/sites-enabled/blog.conf
server {
server blog.website.com;
deny 45.43.23.21;
}
If you want to block IP address in both subdomains, then add the line in both blog.conf and articles.conf files.
Bonus Read : How to Change Port Number in NGINX
Block IP range in NGINX
If you want to allow an IP range such as 45.43.23.0 – 45.43.23.255, then use the CIDR format for your IP range, since NGINX accepts only IP addresses and CIDR formats. You can get the CIDR for your IP address range using IP to CIDR tools.
location / {
deny 45.43.23.0/24;
}
Block IP Address in NGINX for URL
If you want to block IP for just one URL (e.g /accounts/login) then add the above deny directive in location block of that URL.
location /accounts/login {
deny 45.43.23.21;
}
Bonus Read : How to Rewrite URL with Parameters in NGINX
Block Multiple IP in NGINX
If you want to block multiple IP addresses in NGINX to restrict access to multiple IP addresses, just add multiple deny directives as shown below, one for each IP
deny 45.43.23.21; deny 44.23.13.10; allow all;
The above code will block IP addresses 45.43.23.21 & 44.23.13.10, and allow others.
You can also combine IP address and CIDR ranges together, as shown below
deny 44.23.13.10; deny 45.43.23.0/24; allow all;
Bonus Read : How to Move NGINX Web Root to New Location
3. Restart NGINX
Finally, run the following command to check syntax of your updated config file.
$ sudo nginx -t
If there are no errors, run the following command to restart NGINX server.
$ sudo service nginx reload #debian/ubuntu $ systemctl restart nginx #redhat/centos
That’s it! Now NGINX will block access to those IP addresses and ranges mentioned in your configuration file.
By the way, if you want to create charts & dashboards to monitor your business or website, you can try Ubiq. We offer a 14-day free trial.
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.