Allow/Deny rules in Location block

Reinis Rozitis r at
Tue Jan 24 16:56:05 UTC 2023

> There are other locations like /auth, /auth/, /auth/admin, /auth/admin/ and few more which have the same rules. I am trying to restrict access to /auth and /auth/admin which are sensitive for public access. Do you think removing "=" can help in this case? 

'=' in location definition means that nginx will use it only on exact uri match.

if you have location = /auth {} but client requests /auth/admin (unless you have also location = /auth/admin) then that particular location configuration won't be used and will match the 'location / {}' which in your configuration sample was proxied without any deny rules.

By removing the '=' it means all the /auth, /auth/* requests will be processed in that location.

Good to also check the documentation on it


More information about the nginx mailing list