Last updated on June 11th, 2024 at 09:20 am
Sometimes you need to limit access to one or more URLs on your website. This is especially true if you find bots requesting URLs that do not exist on your website, as it can bring down your server. There are several ways to block URL access on NGINX server. In this article, we will look at how to restrict access to URL in NGINX.
Why Block URL Access in NGINX
Generally, NGINX is used as a proxy server along with an application server such as Apache. Every request sent to your website is received by NGINX before it is passed to the application server. If a bot keeps requesting non-existent URLs on your website, your application server will be busy responding with ‘404:Page not found’. If it receives too many such requests, then it may become overloaded and crash quickly. Therefore, it is important to block such URLs in NGINX itself so that they do not pass to application server.
Another reason for restricting URL access is when it contains sensitive or private information. In such cases, you will need to restrict, if not block access, to the URL. For example, you may not want everyone to have access to the admin pages of your website. In this case also, you can use NGINX to easily control URL access, without modifying any code on your site.
How to Restrict Access to URL in NGINX
For our purpose, we will use Deny directive that is already available in every NGINX server configuration by default. Here are the steps to restrict access to URL in NGINX.
1. Open NGINX configuration file
Open terminal and run the following command to open NGINX configuration file.
$ sudo vi /etc/nginx/nginx.conf
If you have configured separate virtual hosts for your website (e.g www.example.com), such as /etc/nginx/sites-enabled/example.conf then open its configuration with the following command
$ sudo vi /etc/nginx/sites-enabled/example.conf
2. Restrict Access to URL
Let us say you want to limit access to /product.html URL by IP 45.34.21.10. In that case, add the following Deny directive in the location block of this URL.
Deny 45.34.21.10
Now let us learn several common use cases to restrict URL access in NGINX.
Restrict Access from Single IP
Here is the simplest case where you need to block access to a single URL from a single IP address. Add the following in the location block for /product.html, in your NGINX server configuration.
location /product.html {
...
deny 45.34.21.10;
...
}
Restrict Access from Multiple IP
If you want to limit URL access for multiple IPs, add separate Deny statements, one for each IP as shown. Here is an example to block requests from IPs 45.34.21.10 and 54.23.10.13.
location /product.html {
...
Deny 45.34.21.10;
Deny 54.23.10.13;
...
}
Block Access from IP Range
If you want to limit access to URL for an IP range such as 45.23.10.0-45.23.10.255 then specify IP range using CIDR notation.
location /product.html {
...
Deny 45.34.21.0/24;
...
}
Block Access from All IPs
If you want to block access from all IP addresses, then simply add ‘Deny All’ statement in your location block as shown below.
location /product.html {
...
Deny All;
...
}
When you use Deny directive, NGINX will return 403: Access Forbidden response. This may alert the attacker that the page exists but they do not have access, prompting them to try other methods. It is safer to simply return 404: Page not found message instead.
location /product.html {
...
return 404;
...
}
Block Access to Multiple URLs
You can also use the same Deny statement to block access to multiple URLs, by combining them using pipe (I) operator.
location ~ /(login|admin)\.php$
{
Deny 45.34.21.10;
}
Quite often, websites receive bogus requests for .php or .jsp pages even though their website is not built using either of these technologies. This is done to determine your tech stack, based on server responses, and exploit its vulnerabilities.
Here is an example to easily block all such requests. It will block requests to .php, .jsp, .asp and .perl pages. You can customize it as per your requirement.
location ~ (\.php$|\.jsp$|\.asp$|\.perl$)
{
return 404;
}
OR
location ~ (\.php$|\.jsp$|\.asp$|\.perl$)
{
Deny All;
}
Allow Access from Only One IP
If you want to restrict access to URL by all IPs except one known IP 45.34.21.10, then add the following Deny and Allow statements as shown.
location /login.php {
...
Allow 45.34.21.10;
Deny All;
...
}
The allow statement will allow access to specified IP and deny statement will limit access to all other IPs. This is very useful to control access to your website’s admin pages and other pages that contain sensitive information.
Deny vs Return Statement
NGINX allows you to block URL access using Deny as well as Return statements. You can use Deny statement to precisely block access from specific IP addresses and ranges. Alternatively, you can also use return statement to return 403 or 404 response code to all IPs.
The key difference between Deny and return statement is that Deny statement returns 403 response only to specific IPs but return statement sends the same response to all IP addresses. On the other hand, Deny statement will always return 403 response code whereas return statement can be customized to return different response codes.
3. Restart NGINX Server
Finally, run the following command to check syntax of your updated config file.
$ sudo nginx -t
If there are no errors, run the following command to restart NGINX server.
$ sudo service nginx reload #debian/ubuntu
$ systemctl restart nginx #redhat/centos
Conclusion
In this article, we have learnt how to restrict access to URL in NGINX. We have learnt several common use cases to block access from one IP, multiple IPs, IP ranges. We have also learnt how to block access to multiple URLs using single location block. Although we have learnt how to block URL access, the same directives can be used to deny access to directories as well as files. The key is to first identify the malicious IP addresses using NGINX server log and then block them in server config file.
Also read :
How to Configure NGINX Log Rotation
How to Fix NGINX Worker Connections Not Enough
How to Disable ETag in NGINX
Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it today!
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.