ngx_http_access

Igor Sysoev is at rambler-co.ru
Tue Feb 20 16:52:53 MSK 2007


On Tue, Feb 20, 2007 at 03:40:19PM +0200, Anonymous Coward wrote:

> oh, dumb me... i didn't knew you can setup access at server level
> 
> Anyway, the problem still persists if i want to deny access just to
> http://sub.domain.tld/myadmin  using this
> 
>        location /myadmin {
>                allow 192.168.2.2;
>                deny all;
>                }
> 
> Ill try to explain again... with that config if a user let's say from
> 192.168.2.3 is trying to see http://sub.domain.tld/myadmin he gets access
> denied which is OK... but if he tries
> http://sub.domain.tld/myadmin/index.php he can see the site with no problem
> 
> (the problem with http://sub.domain.tld/ not working and
> http://sub.domain.tld/index.php working was apparently from Firefox, fixed
> after cleared the cache, weird tho')
> 
> i hope that was more clear :)

See the order of location processing:
http://wiki.codemongers.com/NginxHttpCoreModule#location

You need something like this:

        location / {
            ...
        }

        location /myadmin {         # static /myadmin files
            allow 192.168.2.2;
            deny all;
            ...
        }

        location ~ ^/myadmin/.+\.php$ {
            allow 192.168.2.2;
            deny all;
            ...
            fastcgi settings
        }

        location ~ .php$ {
            ...
            fastcgi settings
        }



> On 2/20/07, Igor Sysoev <is at rambler-co.ru> wrote:
> >
> >On Tue, Feb 20, 2007 at 02:39:19PM +0200, Anonymous Coward wrote:
> >
> >> im trying to deny access to everything that it's a dir/vhost using the
> >> following config
> >>
> >>        server {
> >>                listen          192.168.2.1;
> >>                server_name     mysub.domain.tld;
> >>
> >>                access_log      /var/log/nginx/localhost.access_log main;
> >>                error_log       /var/log/nginx/localhost.error_log;
> >>
> >>                root /var/www/localhost/htdocs/mysub.domain.tld;
> >>        location / {
> >>                allow 192.168.2.2;
> >>                deny all;
> >>                }
> >>        location /nginx_status {
> >>                stub_status on;
> >>                access_log   off;
> >>                allow 127.0.0.1;
> >>                deny all;
> >>                }
> >>        location ~ .php$ {
> >>                include /etc/nginx/fastcgi_params;
> >>                fastcgi_pass   127.0.0.1:1105;
> >>                fastcgi_index  index.php;
> >>
> >>            # where the php files to pass to the listener.
> >>                fastcgi_param  SCRIPT_FILENAME
> >> /var/www/localhost/htdocs/mysub.domain.tld$fastcgi_script_name;
> >>                }
> >>        }
> >>
> >>
> >> Now there are 2 problems
> >> - it only denies access to http://mysub.domain.tld/  if i connect from
> >> another host
> >> - if i connect from the right host when i try to access
> >> http://mysub.domain.tld/ it wants me to download or open a file... if i
> >try
> >> http://mysub.domain.tld/index.php it works ok... same with
> >> http://mysub.domain.tld/myadmin for example still wants me to
> >download/open
> >> file but works with http://mysub.domain.tld/myadmin/index.php
> >>
> >> i tried with location ~ .* also but i get the same result except that it
> >> correctly denies access to everything apparently... but i still can't
> >see
> >> the site from an allowed ip
> >>
> >> What im doing wrong?
> >>
> >> location ~ .*
> >
> >I can not understand the described situation, but if you want to deny
> >access to the whole site from anywhere except 192.168.2.2, then you should
> >set up access/deny rules at server level, and they will be inherited
> >to all locations.
> >
> >
> >--
> >Igor Sysoev
> >http://sysoev.ru/en/
> >
> >

-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list