Allow/Deny rules in Location block
sandeep dubey
sandeep.sanash at gmail.com
Fri Jan 27 14:00:32 UTC 2023
Thanks Reinis for the response and suggestions.
I made the changes and unfortunately couldn't make it work. Later realised
that we are running a Nginx Controller in GKE env., So assuming that the
restriction changes should be done at controller level and not in the Nginx
(not very sure).
On Wed, Jan 25, 2023 at 6:59 PM Reinis Rozitis <r at roze.lv> wrote:
> > [error] 11#11: *49 access forbidden by rule, client: 10.48.11.9, server:
> _, request: "GET /auth/ HTTP/1.1", host: "http://my.domain.info",
> referrer: "https://my.domain.info"
> It seems that the rule is working but at some wrong place, I am not sure
> how to organise or set the right sequence here.
>
>
> Just from the log it seems correct - you have a rule to allow 10.48.0.0/24;
> but the ip 10.48.11.9 doesn't go within that subnet (/24 subnet mask is
> just a single C subnet 10.48.0.1-254).
>
> Then again, your whole configuration would be simpler with just a single
> location block (since it doesn't seem you have an application which uses
> /auth without a trailing slash):
>
> location /auth/ {
> allow 172.20.0.0/24;
> allow 10.48.0.0/24;
> #allow vpn1.ip.here;
> allow vpn2.ip.here;
> deny all;
> proxy_pass http://127.0.0.1:8080;
> auth_basic "Restricted area";
> auth_basic_user_file /etc/nginx/.htpasswd;
> }
>
> If you wanted to get the basic http auth for those who are not within
> allowed ip ranges you need to add 'satisfy any;' directive [1]
>
> Also:
> error_page 403 /usr/share/nginx/html/403.html; <- error_page needs a
> relative uri not a full path in filesystem this is why nginx also returns
> 404 (as it can't find the error page) instead of 403 forbidden.
>
> If /usr/share/nginx/html is your default nginx webroot you can just
> specify:
>
> error_page 403 /403.html;
>
> If you store your error pages in different webroot add something like this:
>
> location /403.html {
> root /usr/share/nginx/html;
> }
>
> Also your attached configuration has duplicate 'location /' directives.
> Nginx should complain about invalid configuration. Are you sure you are
> testing correctly?
>
> [1] http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy
>
> rr
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
--
Regards,
Sandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230127/a65f06d1/attachment.htm>
More information about the nginx
mailing list