Allow and Deny IP's

Francis Daly francis at
Wed Feb 7 00:02:49 UTC 2018

On Mon, Feb 05, 2018 at 11:56:04PM +0530, Kaushal Shriyan wrote:

Hi there,

> When i run this curl call -> curl -X GET -H
> 'cache-control: no-cache' -H 'postman-token:
> 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H 'x-forwarded-for:'
> Ideally the request should not be allowed and the access log should report
> 403 instead of 200

Why should it not be allowed?

What IP address are you making the request from?

> I get 200 OK in the access.log
>   location / {
>         proxy_set_header X-Forwarded-For $remote_addr;
>         allow;
>         allow;
>         deny all;
>         error_page 404 /404.html;
>             location = /40x.html {
>         }
> Please let me know if i am missing anything.

Your config fragment is incomplete. But when I use something similar,
I get the expected http 200 from an address in the "allow" list, and
the expected http 403 from an address not in the "allow" list.

The output of "nginx -V" might be interesting, in case you are using a
version that has broken allow/deny handling.

Francis Daly        francis at

More information about the nginx mailing list