ngx_http_access
Igor Sysoev
is at rambler-co.ru
Tue Feb 20 17:30:59 MSK 2007
On Tue, Feb 20, 2007 at 04:19:01PM +0200, Anonymous Coward wrote:
> But using your location examples denies access only to /myadmin and
> /myadmin/*.php files
> and if i try /myadmin/important.txt or anything else i will see it even if
> im not in the acl
The "/myadmin/important.txt" should be handled under "location /myadmin"
expect you have no "location ~ \.txt$".
> So for my case to deny access to anything that resides in a folder
>
> location ~ ^/directory/(.*) {
>
> worked ok apparently (you still have to add fastcgi params if u need any php
> files to work in that dir :P)
>
> Thank you again Igor for a great software and support.
>
>
> On 2/20/07, Igor Sysoev <is at rambler-co.ru> wrote:
> >
> >On Tue, Feb 20, 2007 at 03:40:19PM +0200, Anonymous Coward wrote:
> >
> >> oh, dumb me... i didn't knew you can setup access at server level
> >>
> >> Anyway, the problem still persists if i want to deny access just to
> >> http://sub.domain.tld/myadmin using this
> >>
> >> location /myadmin {
> >> allow 192.168.2.2;
> >> deny all;
> >> }
> >>
> >> Ill try to explain again... with that config if a user let's say from
> >> 192.168.2.3 is trying to see http://sub.domain.tld/myadmin he gets
> >access
> >> denied which is OK... but if he tries
> >> http://sub.domain.tld/myadmin/index.php he can see the site with no
> >problem
> >>
> >> (the problem with http://sub.domain.tld/ not working and
> >> http://sub.domain.tld/index.php working was apparently from Firefox,
> >fixed
> >> after cleared the cache, weird tho')
> >>
> >> i hope that was more clear :)
> >
> >See the order of location processing:
> >http://wiki.codemongers.com/NginxHttpCoreModule#location
> >
> >You need something like this:
> >
> > location / {
> > ...
> > }
> >
> > location /myadmin { # static /myadmin files
> > allow 192.168.2.2;
> > deny all;
> > ...
> > }
> >
> > location ~ ^/myadmin/.+\.php$ {
> > allow 192.168.2.2;
> > deny all;
> > ...
> > fastcgi settings
> > }
> >
> > location ~ .php$ {
> > ...
> > fastcgi settings
> > }
> >
> >
> >
> >> On 2/20/07, Igor Sysoev <is at rambler-co.ru> wrote:
> >> >
> >> >On Tue, Feb 20, 2007 at 02:39:19PM +0200, Anonymous Coward wrote:
> >> >
> >> >> im trying to deny access to everything that it's a dir/vhost using
> >the
> >> >> following config
> >> >>
> >> >> server {
> >> >> listen 192.168.2.1;
> >> >> server_name mysub.domain.tld;
> >> >>
> >> >> access_log /var/log/nginx/localhost.access_log
> >main;
> >> >> error_log /var/log/nginx/localhost.error_log;
> >> >>
> >> >> root /var/www/localhost/htdocs/mysub.domain.tld;
> >> >> location / {
> >> >> allow 192.168.2.2;
> >> >> deny all;
> >> >> }
> >> >> location /nginx_status {
> >> >> stub_status on;
> >> >> access_log off;
> >> >> allow 127.0.0.1;
> >> >> deny all;
> >> >> }
> >> >> location ~ .php$ {
> >> >> include /etc/nginx/fastcgi_params;
> >> >> fastcgi_pass 127.0.0.1:1105;
> >> >> fastcgi_index index.php;
> >> >>
> >> >> # where the php files to pass to the listener.
> >> >> fastcgi_param SCRIPT_FILENAME
> >> >> /var/www/localhost/htdocs/mysub.domain.tld$fastcgi_script_name;
> >> >> }
> >> >> }
> >> >>
> >> >>
> >> >> Now there are 2 problems
> >> >> - it only denies access to http://mysub.domain.tld/ if i connect
> >from
> >> >> another host
> >> >> - if i connect from the right host when i try to access
> >> >> http://mysub.domain.tld/ it wants me to download or open a file... if
> >i
> >> >try
> >> >> http://mysub.domain.tld/index.php it works ok... same with
> >> >> http://mysub.domain.tld/myadmin for example still wants me to
> >> >download/open
> >> >> file but works with http://mysub.domain.tld/myadmin/index.php
> >> >>
> >> >> i tried with location ~ .* also but i get the same result except that
> >it
> >> >> correctly denies access to everything apparently... but i still can't
> >> >see
> >> >> the site from an allowed ip
> >> >>
> >> >> What im doing wrong?
> >> >>
> >> >> location ~ .*
> >> >
> >> >I can not understand the described situation, but if you want to deny
> >> >access to the whole site from anywhere except 192.168.2.2, then you
> >should
> >> >set up access/deny rules at server level, and they will be inherited
> >> >to all locations.
> >> >
> >> >
> >> >--
> >> >Igor Sysoev
> >> >http://sysoev.ru/en/
> >> >
> >> >
> >
> >--
> >Igor Sysoev
> >http://sysoev.ru/en/
> >
> >
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list