how to restrict access to directory and subdirs

Question

I need to restrict access to any files or subdirs in direstory "testdir". My conf:

...
location ~* ^.+\.(jpg|txt)$ {
            root   /var/www/site;
        }
location /testdir {
        deny all;
        return 404;
        }
...

In my configuration I have no restrictions on /testdir/jpg_or_txt-files. How to do it?

Note, in my experience, the location function only works properly when running nginx on linux. When running on windows, we had trouble with this not working ... — Jonesome Reinstate Monica, Jan 07 '15 at 04:41

score 54 · Answer 1 · answered Feb 08 '11 at 14:55

54

to restrict access to multiple directories in nginx in one location entry do

...
location ~ /(dir1|dir2|dir3) {
   deny all;
   return 404;
}
...

answered Feb 08 '11 at 14:55

DavidR.

549
4
2

9

You should return 403 and not 404. – Stillmatic1985 Apr 09 '15 at 08:47
12

This doesn't answer the question at all. – Oct 21 '15 at 22:31
3

returning 403 gives a hint that the folder exists, a 404 gives no evidence of the folder existing at all – Don Wilson May 29 '19 at 18:46
1

Most of all it doesn't really make sense to first deny and then return 404, does it? The deny should already block the request and if you want to return 404, the statement `return 404` should be sufficient. – Stefan Fabian Nov 22 '19 at 08:59
This rule will not only forbid access to the dir1, dir2 and dir3 locations but to any location containing dir1, dir2 or dir3, for example dir1xxx would be forbidden. – Sergio Prats Jul 06 '22 at 10:44
In order to forbid only the exact folder, you can use location ~ "/(dir1/|dir2/|dir3/)" – Sergio Prats Jul 06 '22 at 10:59

score 25 · Answer 2 · answered May 05 '10 at 18:31

25

It's because the "root" directive matches before the "deny" directive can be matched. Reverse the order of your directives and it should work:

...
location /testdir {
  deny all;
  return 404;
}
location ~* ^.+\.(jpg|txt)$ {
  root   /var/www/site;
}
...

answered May 05 '10 at 18:31

Guillaume Filion

967
1
10
13

This is not how nginx works. It first matches prefixes, remembers the longest match and after that checks the regex’s. When it finds a matching regex, it will use that (without checking any of the other) if it finds none, it’ll use the remembered prefix location – RemyNL Dec 05 '19 at 13:19

score 18 · Answer 3 · edited Jul 22 '16 at 19:29

To ensure that the testdir match is chosen instead of the jpg/txt match, use the following locations:

location ^~ /testdir {
  deny all;
  return 404;
}
location ~* ^.+\.(jpg|txt)$ {
  root   /var/www/site;
}

In your example, you have two types of locations. location /testdir is a prefix location, as it has no tilde (~) between location and /testdir.

location ~* ^.+\.(jpg|txt)$ is a regex location (a case-insensitive one, due to the * directly after the tilde). From the nginx documentation:

To find location matching a given request, nginx first checks locations defined using the prefix strings (prefix locations). Among them, the location with the longest matching prefix is selected and remembered. Then regular expressions are checked, in the order of their appearance in the configuration file. The search of regular expressions terminates on the first match, and the corresponding configuration is used. If no match with a regular expression is found then the configuration of the prefix location remembered earlier is used.

The problem here, is that your testdir location is being remembered, but then the jpg/txt location is selected during the regex stage, as it matches. The following note from the documentation is what I based my solution (given above) upon:

If the longest matching prefix location has the “^~” modifier then regular expressions are not checked.

RemyNL · Answer 4 · 2014-09-18T08:07:32.527

13

location /foo {
    deny all;
    return 404;
}

This will give you a 403 all the time because of the deny all... When you want the server to give you a 404 just only return a 404... like so:

location /foo {
    return 404;
}

edited Sep 18 '14 at 08:07

answered Sep 01 '14 at 14:32

RemyNL

260
2
5

how to restrict access to directory and subdirs

4 Answers4