Chapter 6
[ 133 ]
Restricting access
In the previous section, we explored ways to limit abusive access to websites running
under NGINX. Now we will take a look at ways to restrict access to a whole website
or certain parts of it. Access restriction can take two forms here: restricting to a
certain set of IP addresses, or restricting to a certain set of users. These two methods
can also be combined to satisfy requirements that some users can access the website
either from a certain set of IP addresses or if they are able to authenticate with a valid
username and password.
The following directives will help us achieve these goals:
Table: HTTP access module directives
Directive Explanation
allow Allows access from this IP address, network,
or all.
auth_basic Enables authentication using HTTP Basic
Authentication. The parameter string is
used as the realm name. If the special value
off is used, this indicates that the auth_
basic value of the parent configuration
level is negated.
auth_basic_user_file Indicates the location of a file of
username:password:comment tuples
used to authenticate users. The password
field needs to be encrypted with the crypt
algorithm. The comment field is optional.
deny Denies access from this IP address, network,
or all.
satisfy Allows access if all or any of the preceding
directives grant access. The default value
all indicates that a user must come from
a specific network address and enter the
correct password.
To restrict access to clients coming from a certain set of IP addresses, the allow and
deny directives can be used as follows:
location /stats {
allow 127.0.0.1;