deny in http {}, get 500 response , how to log this?
meteor8488
nginx-forum at forum.nginx.org
Mon Mar 28 22:32:28 UTC 2016
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Mon, Mar 28, 2016 at 03:54:40AM -0400, meteor8488 wrote:
>
> > Hi All,
> >
> > I'm using deny to deny some IPs for my server.
> >
> > http {
> > deny 192.168.1.123; # this is an example
> >
> >
> > server {
> >
> > error_page 403 /error/403.htm;
> > error_page 404 /error/404.htm;
> > error_page 502 /error/502.htm;
> > error_page 503 /error/503.htm;
> >
> > location = /error/403.htm {
> > index 403.htm;
> > access_log /var/log/403.log main;
> > }
> >
> > location ~* ^/(data|image)/.*.(php|php5)$ {
> > deny all;
> > }
> > }
> >
> > I found that if 192.168.1.123 access my server, due to this ip is
> blocked in
> > http {}, so it will get a 500 response.
> > And if someone (IP not blocked) try to access my data/*.php, he will
> get a
> > 403 response.
> >
> > And all these 500 and 403 response will be put into my 403.log.
>
> That's because all of the requests are redirected /error/403.htm
> by the error_page directive, and you have logging to 403.log
> configured in the corresponding location.
>
> The 500 error code is logged for requests from blocked IPs
> because:
>
> - "deny" rule works in the location /error/403.htm, hence 403
> error is triggered again;
>
> - you have recursive_error_pages
> (http://nginx.org/r/recursive_error_pages) enabled somewhere in your
>
> configuration, and your configuration causes redirect loop which
> in turn results in error 500 after 10 iterations.
>
> To resolve the redirect loop, consider using "allow all" in the
> location /error/403.htm.
>
> > Is it possible to put 500 response to a separate log? Then my 403
> log will
> > only log these who is trying to access the protected files.
>
> Yes. You can configure different error pages for protected files
> and the rest of the site, and log them separately. E.g.:
>
> deny 192.168.1.123;
>
> error_page 403 /error/403.nolog.htm;
>
> location = /error/403.htm {
> allow all;
> access_log /path/to/403.log;
> }
>
> location = /error/403.nolog.htm {
> allow all;
> alias /error/403.htm;
> access_log off;
> }
>
> location /protected/ {
> deny all;
> error_page 403 /error/403.htm;
> }
>
> > I understand that if I put "deny IP" in to server {}, it will get a
> 403
> > response. But I want to deny some IPs on the whole server level.
>
> No, there is no difference between "deny" specified at http{} or
> server{} level.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
Thanks for your quickly response.
It's quite clear and easy to understand!
Thanks again
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265680,265695#msg-265695
More information about the nginx
mailing list