Nginx Directory Listing - Restrict by IP Address

Sathish Kumar satcse88 at gmail.com
Sat May 19 03:59:19 UTC 2018


Hi All,

I got it working now by adding the below code. Hope it will be useful for
who ever may need or looking for a solution. Only whitelisted IP addresses
can do directory listing, other IP addresses can only download the files.

nginx.conf

http{
....
geo $geoAutoIndexWhitelist {
    default        0;
   1.1.1.1  1;
}
}

site domain config domain.conf

server {
....
root /data/downloads;
autoindex off;

location / {
        if ($geoAutoIndexWhitelist) {
        rewrite ^/(.*)$ /allowed_downloads/$1/ last;
        }
        try_files $uri $uri.html $uri/ =404;
    }

    location /allowed_downloads/ {
        internal;
        alias /data/downloads/;
        autoindex on;
}
}

Later reload nginx service.


credits: shawn-c (stackoverflow)

Thanks & Regards
Sathish.V


On Sat, May 19, 2018 at 9:39 AM Sathish Kumar <satcse88 at gmail.com> wrote:

> Hi Igor,
>
> I tried your config and getting error, can you help me.
>
> location / {
>
> alias /downloads/;
>     root /data/files;
>     autoindex on;
>
>     if ($forbidlisting) {
>         rewrite ^/(.*) /noindex_root/$1 last;
>
>     }
> }
> location /noindex_root/ {
>     internal;
>     alias /downloads/;
> }
>
>
> nginx: [emerg] "root" directive is duplicate, "alias" directive was
> specified earlier in domain.conf
>
>
>
> Thanks & Regards
> Sathish.V
>
>
> On Sat, May 19, 2018 at 1:03 AM Igor A. Ippolitov <iippolitov at nginx.com>
> wrote:
>
>> This works for me:
>>
>>
>>     location / {
>>         alias /downloads/;
>>         autoindex on;
>>         if ($forbidlisting) {
>>             rewrite ^/(.*) /noindex_root/$1 last;
>>         }
>>     }
>>     location /noindex_root/ {
>>         internal;
>>         alias /downloads/;
>>     }
>>
>>
>>
>> On 18.05.2018 19:32, Sathish Kumar wrote:
>>
>> Hi,
>>
>> I am doing for location /, in that case how will have to change the below
>> portion.
>>
>> location /downloads {
>>     alias /downloads/;
>>     autoindex on;
>>     if ($forbidlisting) {
>>         rewrite /downloads(.*) /noindex_downloads/$1 last;
>>     }
>> }
>> location /noindex_downloads/ {
>>     internal;
>>     alias /downloads/;
>> }
>>
>>
>>
>> On Fri, May 18, 2018, 11:10 PM Igor A. Ippolitov <iippolitov at nginx.com>
>> wrote:
>>
>>> Sathish,
>>>
>>> I made a couple of minor mistakes.
>>>
>>> Please, try following configuration:
>>>
>>>
>>> map $remote_addr $forbidlisting {
>>>     default 1;
>>>     1.1.1.1 0;
>>> }
>>> location /downloads {
>>>     alias /downloads/;
>>>     autoindex on;
>>>     if ($forbidlisting) {
>>>         rewrite /downloads(.*) /noindex_downloads/$1 last;
>>>     }
>>> }
>>> location /noindex_downloads/ {
>>>     internal;
>>>     alias /downloads/;
>>> }
>>>
>>>
>>> I tried it and it works for me.
>>>
>>>
>>> On 18.05.2018 16:01, Sathish Kumar wrote:
>>>
>>> Hi,
>>>
>>> Tried this option it throws rewrite error and am not able to download
>>> file from non whitelisted ip addresses.
>>>
>>>
>>> ERROR:
>>> rewrite or internal redirection cycle while processing
>>> "/noindex_downloadsnoindex_downloadsnoindex_downloadsnoindex_downloadsnoindex_downloadsnoindex_downloadsnoindex_downloadsnoindex_downloadsnoindex_downloadsnoindex_downloadsnoindex_downloadsDownloads/abcd/file.zip",
>>> client: 3.3.3.3, server: abc.com, request: "GET
>>> /Downloads/abcd/file.zip
>>>
>>>
>>> On Fri, May 18, 2018, 8:17 PM Igor A. Ippolitov <iippolitov at nginx.com>
>>> wrote:
>>>
>>>> Hello, guys.
>>>>
>>>> I think, you can try something like this:
>>>>
>>>> location = /downloads/ {
>>>>     root /downloads/;
>>>>     allow 1.1.1.1;
>>>>     autoindex on;
>>>> }
>>>> location /downloads/ {
>>>>     root /downloads/;
>>>> }
>>>>
>>>> This will work nicely if you don't need subdirectories.
>>>> If you need those, you can use a rewrite like:
>>>>
>>>> map $remote_addr $forbidlisting {
>>>>     default 1;
>>>>     1.1.1.1 0;
>>>> }
>>>> location /downloads/ {
>>>>     root /downloads/;
>>>>     autoindex on;
>>>>     if ($forbidlisting) {
>>>>         rewrite /downloads(.*) /noindex_downloads$1 last;
>>>>     }
>>>> }
>>>> location /noindex_downloads/ {
>>>>     internal;
>>>>     root /downloads/;
>>>> }
>>>>
>>>>
>>>> On 18.05.2018 14:17, Friscia, Michael wrote:
>>>>
>>>> I think you need to change this a little
>>>>
>>>>
>>>>
>>>> map $remote_addr $allowed {
>>>>     default         “off”;
>>>>     1.1.1.1         “on”;
>>>>     2.2.2.2         “on:;
>>>> }
>>>>
>>>> and then in in the download location block
>>>>
>>>>  autoindex $allowed;
>>>>
>>>> I use similar logic on different variables and try at all costs to
>>>> avoid IF statements anywhere in the configs.
>>>>
>>>>
>>>>
>>>> ___________________________________________
>>>>
>>>> Michael Friscia
>>>>
>>>> Office of Communications
>>>>
>>>> Yale School of Medicine
>>>>
>>>> (203) 737-7932 - office
>>>>
>>>> (203) 931-5381 - mobile
>>>>
>>>> http://web.yale.edu
>>>>
>>>>
>>>>
>>>> *From: *nginx <nginx-bounces at nginx.org> <nginx-bounces at nginx.org> on
>>>> behalf of PRAJITH <prajithpalakkuda at gmail.com>
>>>> <prajithpalakkuda at gmail.com>
>>>> *Reply-To: *"nginx at nginx.org" <nginx at nginx.org> <nginx at nginx.org>
>>>> <nginx at nginx.org>
>>>> *Date: *Friday, May 18, 2018 at 2:16 AM
>>>> *To: *"nginx at nginx.org" <nginx at nginx.org> <nginx at nginx.org>
>>>> <nginx at nginx.org>
>>>> *Subject: *Re: Nginx Directory Listing - Restrict by IP Address
>>>>
>>>>
>>>>
>>>> Hi Satish,
>>>>
>>>> There are "if" constructs in nginx, please check http://nginx.org/r/if
>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__nginx.org_r_if&d=DwMFaQ&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=fKmL-eoW-L4wbuOH4Cy1Z_3ZWkTmrmgNPGNe6O6FIV4&s=_hMwYrlV1QXfU7fEvfqx9BnEUgUoadjGtTqav5fo_7M&e=>.
>>>> if you want to allow multiple IP addresses, it might be better idea to use
>>>> map. eg:
>>>>
>>>> map $remote_addr $allowed {
>>>>     default         0;
>>>>     1.1.1.1         1;
>>>>     2.2.2.2         1;
>>>> }
>>>>
>>>> and then in in the download location block
>>>>
>>>>  if ($allowed = 1) {
>>>>         autoindex on;
>>>> }
>>>>
>>>> Thanks,
>>>>
>>>> Prajith
>>>>
>>>>
>>>>
>>>> On 18 May 2018 at 05:35, Sathish Kumar <satcse88 at gmail.com> wrote:
>>>>
>>>> Hi Team,
>>>>
>>>> We have a requirement to allow directory listing from few servers and
>>>> disallow from other ip addresses and all IP addresses should be able to
>>>> download all files inside the directory.
>>>>
>>>> Can somebody provide the correct nginx config for the same.
>>>>
>>>> location / {
>>>>
>>>> root /downloads;
>>>>
>>>> autoindex on;
>>>>
>>>> allow 1.1.1.1;
>>>>
>>>> deny all;
>>>>
>>>> }
>>>>
>>>> If I use the above config, only on 1.1.1.1 IP address can directory
>>>> list from this server and can file download but from other IP addresses
>>>> download shows forbidden, due to IP address restriction
>>>>
>>>> Is there a way to overcome this issue, thanks.
>>>>
>>>>
>>>> Thanks & Regards
>>>> Sathish.V
>>>>
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=DwMFaQ&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=fKmL-eoW-L4wbuOH4Cy1Z_3ZWkTmrmgNPGNe6O6FIV4&s=UVcx123SYSrcJEG8dvDlswatIFjwcvFXOBJR6JO6VVk&e=>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>>
>>>
>>> _______________________________________________
>>> nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>>
>>
>> _______________________________________________
>> nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180519/569e55af/attachment-0001.html>


More information about the nginx mailing list