Nginxdevops~5 mins

IP-based access control (allow/deny) in Nginx - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you want to control who can visit your website by allowing or blocking certain IP addresses. IP-based access control lets you do this easily with nginx by specifying which IPs can or cannot access your site.

When you want to block a specific IP address that is causing trouble on your website.

When you want to allow only your office IP to access an internal web app.

When you want to restrict access to a sensitive admin page to certain IPs.

When you want to temporarily deny access to a region by blocking its IP range.

When you want to whitelist trusted IPs and deny all others for security.

Config File - nginx.conf

nginx.conf

server {
    listen 80;
    server_name example.com;

    location / {
        # Allow only 192.168.1.100 and 10.0.0.0/24
        allow 192.168.1.100;
        allow 10.0.0.0/24;
        deny all;

        root /var/www/html;
        index index.html;
    }
}

This nginx configuration sets up a server listening on port 80 for example.com.

Inside the location / block, it allows requests only from IP 192.168.1.100 and the IP range 10.0.0.0/24.

All other IPs are denied access with deny all;.

This controls who can access the website content served from /var/www/html.

Commands

This command tests the nginx configuration file for syntax errors before applying it. It helps catch mistakes early.

Terminal

sudo nginx -t

Expected OutputExpected

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful

This command reloads nginx to apply the new configuration without stopping the server, so your site stays online.

Terminal

sudo systemctl reload nginx

Expected OutputExpected

No output (command runs silently)

This command sends a simple HTTP request to check if the site is accessible from your current IP after applying the access control.

Terminal

curl -I http://example.com

Expected OutputExpected

HTTP/1.1 200 OK Server: nginx Date: Wed, 01 Jan 2025 12:00:00 GMT Content-Type: text/html Content-Length: 612 Connection: keep-alive

This command tries to access the site from a different network interface to simulate a denied IP and check if access is blocked.

Terminal

curl -I --interface eth1 http://example.com

Expected OutputExpected

HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 01 Jan 2025 12:00:05 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive

Key Concept

If you remember nothing else from this pattern, remember: nginx processes allow and deny rules in order and stops at the first match to decide access.

Common Mistakes

Placing 'deny all;' before any 'allow' rules

nginx will deny all requests immediately, ignoring any allow rules after it.

Always list all 'allow' directives first, then end with 'deny all;' to block everyone else.

Not testing nginx configuration before reload

A syntax error can cause nginx to fail to reload, making the site unavailable.

Run 'sudo nginx -t' to check config syntax before reloading nginx.

Using incorrect IP format or missing subnet mask for ranges

nginx will not recognize the IP range and may allow or deny incorrectly.

Use correct IP or CIDR notation like '10.0.0.0/24' for ranges.

Summary

Write 'allow' rules first to specify permitted IPs, then 'deny all;' to block others.

Test your nginx config with 'nginx -t' before reloading to avoid downtime.

Reload nginx to apply changes without stopping the server.

Use curl or a browser to verify access control is working as expected.