Forbid web.config page from the browser as in

Kaushal Shriyan kaushalshriyan at
Fri Nov 13 00:21:57 UTC 2020

On Thu, Nov 12, 2020 at 8:13 PM Francis Daly <francis at> wrote:

> On Thu, Nov 12, 2020 at 07:17:46PM +0530, Kaushal Shriyan wrote:
> Hi there,
> > I am running the Nginx version: nginx/1.16.1 on CentOS Linux release
> > 7.8.2003 (Core). I am trying to forbid/prevent web.config file to
> > download it from the browser. When I hit
> > it is allowing me to download instead of
> > forbidding the page ( 403 Forbidden).
> When I use this config, it works for me (I get the http 403 response).
> Are you sure that the config file with this server{} block is read by
> your running nginx?
> Are there any other server{} blocks with the same (implicit) "listen"
> directive, that might mean that this server{} block is never used?
> What do you get if you do
>   curl -i -H Host:_ http://your-server/web.config
> where the "Host:_" part is an attempt to match the server_name that you
> set in this server{} block.
> (Change "your-server" to be a name or IP that your client can use to get
> at the web service.)

Hi Francis,

 Thanks Francis for the email response. There are two servers {} blocks one
with *listen 80 default_server* and the other with *listen 443 ssl* I am
running the website on port 443 and added the below in the server block
with listen 443 ssl. It worked perfectly. Thanks a lot for pointing the
issue and appreciate it.

location ^~ /web.config {
>             deny all;
>         }

Best Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list