How to use Nginx to restrict access to everyfiles to, except the php files in /

Maxim Dounin mdounin at
Wed Nov 12 11:24:40 UTC 2014


On Wed, Nov 12, 2014 at 05:26:27AM -0500, carlg wrote:

> HI,
> I want to configure our nginx to be a little more paranoid concerning file
> access.
> Right now, i am using rules like :
> location /includes {
> allow;
> deny all;
> }
> ... but i need to repeat this kind of rules for every folders, and then
> restrict access to the php files inside. So our rules file is too long,
> complicated and getting very messy.  Also, this doesn't protect the php
> files, only the folders. so i need to add more and more rules, always.
> The php files a visitor require to be able to reach directly are in / (like
> index.php, login.php, etc..)
> I would like to restrict every other files to, and then add some
> rules to allow all traffic only where required.
> But i cannot figure out how i can achieve this with nginx.  I'm pretty sure
> there is a single rule that can do this. :D
> Any help will be very appreciated, and may help may others i am sure to be
> more secure

Most secure approach would be to explicitly allow access to 
certain files by using access rules at server (or even http) 
level, like this:

    server {

        deny all;

        location = /file_to_be_allowed {
            allow all;


Note that you have configure all required processing, not just 
access rules.  That is, for php files you'll have to configure 
fastcgi_pass/whatever as appropriate.

Maxim Dounin

More information about the nginx mailing list