51

I need to restrict access to any files or subdirs in direstory "testdir". My conf:

...
location ~* ^.+\.(jpg|txt)$ {
            root   /var/www/site;
        }
location /testdir {
        deny all;
        return 404;
        }
...

In my configuration I have no restrictions on /testdir/jpg_or_txt-files. How to do it?

4 Answers4

54

to restrict access to multiple directories in nginx in one location entry do

...
location ~ /(dir1|dir2|dir3) {
   deny all;
   return 404;
}
...
DavidR.
  • 549
  • 4
  • 2
25

It's because the "root" directive matches before the "deny" directive can be matched. Reverse the order of your directives and it should work:

...
location /testdir {
  deny all;
  return 404;
}
location ~* ^.+\.(jpg|txt)$ {
  root   /var/www/site;
}
...
Guillaume Filion
  • 967
  • 1
  • 10
  • 13
  • This is not how nginx works. It first matches prefixes, remembers the longest match and after that checks the regex’s. When it finds a matching regex, it will use that (without checking any of the other) if it finds none, it’ll use the remembered prefix location – RemyNL Dec 05 '19 at 13:19
18

To ensure that the testdir match is chosen instead of the jpg/txt match, use the following locations:

location ^~ /testdir {
  deny all;
  return 404;
}
location ~* ^.+\.(jpg|txt)$ {
  root   /var/www/site;
}

In your example, you have two types of locations. location /testdir is a prefix location, as it has no tilde (~) between location and /testdir.

location ~* ^.+\.(jpg|txt)$ is a regex location (a case-insensitive one, due to the * directly after the tilde). From the nginx documentation:

To find location matching a given request, nginx first checks locations defined using the prefix strings (prefix locations). Among them, the location with the longest matching prefix is selected and remembered. Then regular expressions are checked, in the order of their appearance in the configuration file. The search of regular expressions terminates on the first match, and the corresponding configuration is used. If no match with a regular expression is found then the configuration of the prefix location remembered earlier is used.

The problem here, is that your testdir location is being remembered, but then the jpg/txt location is selected during the regex stage, as it matches. The following note from the documentation is what I based my solution (given above) upon:

If the longest matching prefix location has the “^~” modifier then regular expressions are not checked.

Joe A
  • 190
  • 1
  • 9
13
location /foo {
    deny all;
    return 404;
}

This will give you a 403 all the time because of the deny all... When you want the server to give you a 404 just only return a 404... like so:

location /foo {
    return 404;
}
RemyNL
  • 260
  • 2
  • 5