Allow/Deny rules in Location block
Reinis Rozitis
r at roze.lv
Wed Jan 25 13:29:07 UTC 2023
> [error] 11#11: *49 access forbidden by rule, client: 10.48.11.9, server: _, request: "GET /auth/ HTTP/1.1", host: "http://my.domain.info", referrer: "https://my.domain.info"
It seems that the rule is working but at some wrong place, I am not sure how to organise or set the right sequence here.
Just from the log it seems correct - you have a rule to allow 10.48.0.0/24; but the ip 10.48.11.9 doesn't go within that subnet (/24 subnet mask is just a single C subnet 10.48.0.1-254).
Then again, your whole configuration would be simpler with just a single location block (since it doesn't seem you have an application which uses /auth without a trailing slash):
location /auth/ {
allow 172.20.0.0/24;
allow 10.48.0.0/24;
#allow vpn1.ip.here;
allow vpn2.ip.here;
deny all;
proxy_pass http://127.0.0.1:8080;
auth_basic "Restricted area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
If you wanted to get the basic http auth for those who are not within allowed ip ranges you need to add 'satisfy any;' directive [1]
Also:
error_page 403 /usr/share/nginx/html/403.html; <- error_page needs a relative uri not a full path in filesystem this is why nginx also returns 404 (as it can't find the error page) instead of 403 forbidden.
If /usr/share/nginx/html is your default nginx webroot you can just specify:
error_page 403 /403.html;
If you store your error pages in different webroot add something like this:
location /403.html {
root /usr/share/nginx/html;
}
Also your attached configuration has duplicate 'location /' directives. Nginx should complain about invalid configuration. Are you sure you are testing correctly?
[1] http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy
rr
More information about the nginx
mailing list