How to use Nginx to restrict access to everyfiles to 127.0.0.1, except the php files in /
Maxim Dounin
mdounin at mdounin.ru
Wed Nov 12 11:24:40 UTC 2014
Hello!
On Wed, Nov 12, 2014 at 05:26:27AM -0500, carlg wrote:
> HI,
>
> I want to configure our nginx to be a little more paranoid concerning file
> access.
>
> Right now, i am using rules like :
>
> location /includes {
> allow 127.0.0.1;
> deny all;
> }
>
> ... but i need to repeat this kind of rules for every folders, and then
> restrict access to the php files inside. So our rules file is too long,
> complicated and getting very messy. Also, this doesn't protect the php
> files, only the folders. so i need to add more and more rules, always.
>
> The php files a visitor require to be able to reach directly are in / (like
> index.php, login.php, etc..)
>
> I would like to restrict every other files to 127.0.0.1, and then add some
> rules to allow all traffic only where required.
>
> But i cannot figure out how i can achieve this with nginx. I'm pretty sure
> there is a single rule that can do this. :D
>
> Any help will be very appreciated, and may help may others i am sure to be
> more secure
Most secure approach would be to explicitly allow access to
certain files by using access rules at server (or even http)
level, like this:
server {
...
allow 127.0.0.2;
deny all;
location = /file_to_be_allowed {
allow all;
...
}
...
}
Note that you have configure all required processing, not just
access rules. That is, for php files you'll have to configure
fastcgi_pass/whatever as appropriate.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list