Allow/Deny rules in Location block

Reinis Rozitis r at
Wed Jan 25 13:29:07 UTC 2023

> [error] 11#11: *49 access forbidden by rule, client:, server: _, request: "GET /auth/ HTTP/1.1", host: "", referrer: ""
It seems that the rule is working but at some wrong place, I am not sure how to organise or set the right sequence here.  

Just from the log it seems correct - you have a rule to allow; but the ip doesn't go within that subnet (/24 subnet mask is just a single C subnet

Then again, your whole configuration would be simpler with just a single location block (since it doesn't seem you have an application which uses /auth without a trailing slash):

     location /auth/ {
            deny all;
            auth_basic "Restricted area";
            auth_basic_user_file /etc/nginx/.htpasswd;

If you wanted to get the basic http auth for those who are not within allowed ip ranges you need to add 'satisfy any;' directive [1]

error_page 403 /usr/share/nginx/html/403.html; <- error_page needs a relative uri not a full path in filesystem this is why nginx also returns 404 (as it can't find the error page) instead of 403 forbidden.

If /usr/share/nginx/html is your default nginx webroot you can just specify:

error_page 403 /403.html;

If you store your error pages in different webroot add something like this:

location /403.html {
	root /usr/share/nginx/html;

Also your attached configuration has duplicate 'location /' directives. Nginx should complain about invalid configuration. Are you sure you are testing correctly?  



More information about the nginx mailing list