Hierarchy of malformed requests and blocked IPs

Valentin V. Bartenev vbart at nginx.com
Sat Jul 30 10:18:47 UTC 2016

On Friday 29 July 2016 23:01:05 lists at lazygranch.com wrote:
> I see a fair amount of hacking attempts in the access.log. That is, they 
show up with a return code of 400 (malformed). Well yeah, they are certainly 
malformed. But when I add the offending IP address to my blocked list, they 
still show up as malformed upon subsequent readings of access.log. That is, it 
appears to me that nginx isn't checking the blocked list first.
> If true, shouldn't the blocked IPs take precedence?
> Nginx 1.10.1 on freebsd 10.2

It's unclear what do you mean by "my blocked list".  But if you're
speaking about "ngx_http_access_module" then the answer is no, it
shouldn't take precedence.  It works on a location basis, which
implies that the request has been parsed already.

  wbr, Valentin V. Bartenev

More information about the nginx mailing list