nginx Block IP based on URI in one 'location'

Question

There is currently a block of one location /

  location / {
    root  /var/www/docs;
    proxy_pass  http://backend;
    proxy_buffering     on;
    proxy_buffer_size   64k;
    proxy_buffers       256   64k;
  }

that needs to be filtered by IP.

Ideally, in order to reduce the number of repetitions of the same directives in location, I would like to perform the test within the location block

  location / {

    if ($uri ~ '^/(abc|def|ghi)') {
        allow 10.0.0.0/8;
        allow 1.2.3.4;
        deny all;
    }

    root  /var/www/docs;
    proxy_pass  http://backend;
    proxy_buffering     on;
    proxy_buffer_size   64k;
    proxy_buffers       256   64k;
  }

Unfortunately, it seems the allow/deny directives cannot be used within a if block.

"allow" directive is not allowed here in /etc/nginx/sites-enabled/mysite:20

Is there an elegant way to perform the test without repeating the location blocks?

(like

  location ~ /(abc|def|ghi) {

        allow 10.0.0.0/8;
        allow 1.2.3.4;
        deny all;

        ... 5 other lines root,proxy...
   }

  location  / {

        ... 5 other lines root,proxy...
   }

)

score 8 · Accepted Answer · answered Apr 04 '13 at 11:01

Like coredump said, no, use multiple locations.

But it is possible to make the contents of the location blocks less repetitive. The key here is a named location block which contains the root and proxy_... directives.

For example:

location / {
  try_files $uri @proxy;
}
location ~ /(abc|def|ghi) {
  allow 10.0.0.0/8;
  allow 1.2.3.4;
  deny all;

  try_files $uri @proxy;
}
location @proxy {
  root  /var/www/docs;
  proxy_pass  http://backend;
  proxy_buffering     on;
  proxy_buffer_size   64k;
  proxy_buffers       256   64k;
}

And probably even better would be to place the root directive outside all the location blocks.

manyk · Answer 2 · 2016-05-09T19:54:33.153

5

First you have to define a variable that will hold your IP filters. This goes into the http section of the nginx config:

map $remote_addr (or $http_x_forwarded_for if behind a proxy) $allowed {
        default deny;
        ~\s*111.222.333.444$ allow;
        ~\s*333.444.555.*$   allow;
    }

then in the server section you write the if construct and filter the access location by the contents of the variable $allowed:

location / {
        if ( $allowed = "deny" ) { return 403; }
        #...
    }

edited May 09 '16 at 19:54

answered May 06 '16 at 03:08

manyk

51
1
2

Welcome to Server Fault! It looks like you may have the knowledge to provide good Answer here, but please consider reading [How do I write a good Answer?](http://serverfault.com/help/how-to-answer) in our help center and then revise the Answer. Your Commands/Code/Settings may technically be the solution but some explanation is welcome. Thanks in advance. – HBruijn May 06 '16 at 09:02
I am surprised this answer only got 1 vote, it should have loads of them. That's the most easy (and it's not a hack) way to do it! – Mahmoud Khateeb Aug 22 '17 at 15:11
@MahmoudKhateeb I am not very knowledgeable on Nginx but isn't using "if" within the location block discouraged? Or is it okay in this context because they are explicitly returning something? – joshmcode Oct 16 '18 at 16:34

cadmi · Answer 3 · 2013-04-04T11:39:10.543

Usually in such cases can help "nested locations" ...

location / {
   root /var/www/docs;
   allow all;

   location /admin {
       deny 1.2.3.4;
   }

}

... but not all directives inherited in nested locations. Sadly, but exactly proxy_pass, fastcgi_pass and similar are not inherited... So solution proposed earlier (with @namedlocation) is correct in this case. You can also use a directive include for "proxy_pass block", of course.

score 2 · Answer 4 · answered Apr 01 '11 at 03:11

2

No. Use multiple locations, it may look ugly but you will end with less chance of if craziness.

Also remember that nginx processes first the regex matches and if none matches it tries the most specific literal location, being location / kind of a catch all location. Knowing that you can maybe diminish the number of locations you need. Take a look at this doc to see how requests are processed.

answered Apr 01 '11 at 03:11

coredump

12,573
2
34
53

Thanks. The *if craziness* looks like a nginx bug... Repeating the `location` directives ad nauseum for each case is contrary to the most elementary programming concepts. But it sounds like there no choice :-( – Déjà vu Apr 01 '11 at 03:42
Remember that `nginx` is a web server not a programming language :) On apache you would end with something close :) – coredump Apr 01 '11 at 03:55
I studied a bit the code of nginx, as it is a performance example. One thing I liked about nginx, is that it stands pretty far from apache... I don't think there (should be) is a separation between programming languages and configuration scripts. Unfortunately, long time existing tools like apache seem to show the way. – Déjà vu Apr 01 '11 at 04:13
@ring I don't know, I like that you could not do what you wanted. It would be easier, but it would be harder to read and it could get very messy in some cases (not yours, but allowing it would open the doors to hell :)) – coredump Apr 01 '11 at 04:15

nginx Block IP based on URI in one 'location'

4 Answers4