deny in http {}, get 500 response , how to log this?

meteor8488 nginx-forum at forum.nginx.org
Mon Mar 28 22:32:28 UTC 2016 

Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
> 
> On Mon, Mar 28, 2016 at 03:54:40AM -0400, meteor8488 wrote:
> 
> > Hi All,
> > 
> > I'm using deny to deny some IPs for my server.
> > 
> > http {
> >       deny 192.168.1.123; # this is an example
> > 
> > 
> > 	server {
> > 
> > 		error_page  403 /error/403.htm;
> > 		error_page  404 /error/404.htm;
> > 		error_page  502 /error/502.htm;
> > 		error_page  503 /error/503.htm;
> > 
> > 		location = /error/403.htm {
> > 			index 403.htm;
> > 			access_log /var/log/403.log  main;
> > 		}
> > 
> > 		location ~* ^/(data|image)/.*.(php|php5)$ {
> > 			deny all;
> > 		}
> > }
> > 
> > I found that if 192.168.1.123 access my server, due to this ip is
> blocked in
> > http {}, so it will get a 500 response.
> > And if someone (IP not blocked) try to access my data/*.php, he will
> get a
> > 403 response.
> > 
> > And all these 500 and 403 response will be put into my 403.log.
> 
> That's because all of the requests are redirected /error/403.htm 
> by the error_page directive, and you have logging to 403.log 
> configured in the corresponding location.
> 
> The 500 error code is logged for requests from blocked IPs 
> because:
> 
> - "deny" rule works in the location /error/403.htm, hence 403 
>   error is triggered again;
> 
> - you have recursive_error_pages 
>   (http://nginx.org/r/recursive_error_pages) enabled somewhere in your
> 
>   configuration, and your configuration causes redirect loop which 
>   in turn results in error 500 after 10 iterations.
> 
> To resolve the redirect loop, consider using "allow all" in the 
> location /error/403.htm.
> 
> > Is it possible to put 500 response to a separate log? Then my 403
> log will
> > only log these who is trying to access the protected files.
> 
> Yes.  You can configure different error pages for protected files 
> and the rest of the site, and log them separately.  E.g.:
> 
>     deny 192.168.1.123;
> 
>     error_page 403 /error/403.nolog.htm;
> 
>     location = /error/403.htm {
>         allow all;
>         access_log /path/to/403.log;
>     }
> 
>     location = /error/403.nolog.htm {
>         allow all;
>         alias /error/403.htm;
>         access_log off;
>     }
> 
>     location /protected/ {
>         deny all;
>         error_page 403 /error/403.htm;
>     }
> 
> > I understand that if I put "deny IP" in to server {}, it will get a
> 403
> > response. But I want to deny some IPs on the whole server level. 
> 
> No, there is no difference between "deny" specified at http{} or 
> server{} level.
> 
> -- 
> Maxim Dounin
> http://nginx.org/
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



Thanks for your quickly response.
It's quite clear and easy to understand!
Thanks again

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265680,265695#msg-265695

More information about the nginx mailing list