restrict access to directory in nginx

NGINX Restrict Access to Directory and Subdirectories

Last updated on June 10th, 2024 at 06:22 am

NGINX is a popular web server used by many web developers and organizations. It allows you to easily manage large websites and control access to their web pages. Many web administrators need to limit access to certain folders and subfolders on your website, due to their sensitive nature of information. In this article, we will learn how to use NGINX server to restrict access to directory & subdirectory.

Why Restrict Access to Directories in NGINX

Websites contain private URLs and sensitive data that should be protected from public access. Otherwise, it can result in data leaks. In many organizations, administrators are required to allow only authorized access to certain web pages. This is mostly required in intranet or corporate websites. Sometimes your website may be under persistent attack from malicious bots sending requests from certain IP addresses. In all these cases, you need to restrict access to directories, subdirectories, URLs and files on your website. NGINX allows you to easily control access using Deny and Allow directives. We will learn how to use them to our advantage.

NGINX Restrict Access to Directory and Subdirectories

For our purpose, we will use ngx_http_access_module. It mainly supports two directives – allow and deny. Allow directive is used to allow requests from IP address, network or range of IP addresses. You can place the allow directive in http, server or location blocks of your server configuration. Here is its syntax.

allow address | CIDR | unix: | all;

Similarly, deny directive is used to block access from IP address, network or address range. It can also be placed in http, server and location blocks. Here is its syntax.

deny address | CIDR | unix: | all;

Here are the steps to restrict access to directory and subdirectories in NGINX.

1. Open NGINX configuration file

Open terminal and run the following command to open NGINX configuration file.

$ sudo vi /etc/nginx/nginx.conf

If you have configured separate virtual hosts for your website (e.g www.example.com), such as /etc/nginx/sites-enabled/example.conf then open its configuration with the following command

$ sudo vi /etc/nginx/sites-enabled/example.conf

2. Restrict Access to URL

Let us say you want to limit access to /product directory by IP 45.34.21.10.

In that case add the Deny directive

Deny 45.34.21.10

On the other hand, if you want to allow access from this IP add the following directive.

Allow 45.34.21.10

Let us look at some common use cases.

Restrict Access from Single IP

Let us say you want to block access to /product from just one IP address 45.34.21.10. In this case, add the following Deny directive in the location block for /product, in your NGINX server configuration.

location /product {
   ...
   deny 45.34.21.10;
   ...
}

You can use the same directive to restrict access to subfolders, URLs as well as files. Here is an example to restrict access to subfolder /product/data.

location /product/data {
...
deny 45.34.21.10;
...
}

Here is an example to restrict access to specific URL /test.html

location /test.html {
...
deny 45.34.21.10;
...
}

Here is an example to restrict access to file data.pdf

location /data.pdf {
...
deny 45.34.21.10;
...
}

If you place the deny directive in server block then it will be applicable for all URLs pertaining to the domain that this server handles. If you place it in http block, it will be applied to all domains and virtual hosts served by the http block.

Restrict Access from Multiple IPs

Let us say you want to block access from multiple IPs. In this case, add separate Deny statements, one for each IP as shown.

location /product {
...
Deny 45.34.21.10;
Deny 54.23.10.13;
...
}

Restrict Access from Range of IP addresses

If you want to limit access to directory for an IP range such as 45.23.10.0-45.23.10.255 then specify IP range using CIDR notation.

location /product {
...
Deny 45.34.21.0/24;
...
}

You can also use a combination of both if you want, as shown below. Here you specify one IP address in one Deny statement, and use a CIDR notation in another statement. If you want to limit access to directory for an IP range such as 45.23.10.0-45.23.10.255 then specify IP range using CIDR notation.

location /product {
...
Deny 54.43.32.21;
Deny 45.34.21.0/24;
...
}

Restrict from All Except One IP

If you want to restrict access to folders and subfolders by all IPs except one known IP 45.34.21.10, then add the following Deny and Allow statements as shown.

location /product {
   ...
   Allow 45.34.21.10;
   Deny All;
   ...
}

The allow statement will allow access to specified IP and deny statement will limit access to all other IPs.

3. Restart NGINX Server

Finally, run the following command to check syntax of your updated config file.

$ sudo nginx -t

If there are no errors, run the following command to restart NGINX server.

$ sudo service nginx reload #debian/ubuntu
$ systemctl restart nginx #redhat/centos

Conclusion

In this tutorial, we have learnt how to restrict access to a specific directory, sub directory, URL and file in NGINX, using Deny directive. The key part is to construct the Deny statement using the appropriate IP address, or range of IPs. Then place the statement in the right location block of the directory or URL. If you want to block access from multiple IP addresses, add separate Deny statements, one for each IP. If you want to block access from range of IPs, then use CIDR notation to specify the range. You can also use Deny in combination with Allow statement to block many IP addresses except a few. Finally, please note, if you place the statement in server block it will restrict access to all URLs on your server. So be careful how you use it. Nevertheless, it is very easy and flexible to control access in NGINX.

Also read:
How to Restrict Access to URL in NGINX
How to Configure Log Rotation in NGINX
How to Fix Too Many Workers Error in NGINX

Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it today!