NginX: How to deny IP on http level, but allow all on some server levels?

Jack Watts

3/13/23, 3:31 AM

I have Nginx with many defined "services" (websites). I would like to deny access to all of them for lots of IP addresses (mostly international), but at the same time I want to "allow" unrestricted access to some publicly accessible websites. Is it possible to do that with the free Nginx for Windows?

Here's the structure of my config file:

http {
    # common statements here;
    server {
        server_name   publicsite.web;
        # some settings;
        allow all;
    }

    deny    1.0.0.0/8;
    deny    2.0.0.0/8;
    # everything below should be denied to the listed IP's 

    server {
        server_name   privatesite1.domain.web;
        # some settings;
    }
    server {
        server_name   privatesite99.web;
        # some settings;
    }
}

I tried configuration like that, but the "publicsite.web" gets denied for IP's listed below its server{} block, I guess because they are on http level, even though they're listed below.

I understand that the easiest option would be to list all "deny" IP's in a separate file (which by the way already is) and include them inside of every server{} block which should honor the denying. Giving that there might be up to a hundred of those server{} blocks and more than hundred of deny IP subnet blocks, I'm afraid that the configuration might become to complex and bulky, affecting the server performance.

Is there a better option than including the same list of denied IP's in every server{} block?

106

0 + 0

nginx

Paul

3/13/23, 3:49 AM

What happens if you add a `location` block with regex or `=` to the first `server` block?

djdomi

3/13/23, 11:32 AM

eqch server block is a separate item,hence no

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: NginX: How to deny IP on http level, but allow all on some server levels?

TH: NginX: วิธีปฏิเสธ IP ในระดับ http แต่อนุญาตทั้งหมดในบางระดับเซิร์ฟเวอร์

RO: NginX: Cum să refuzi IP-ul la nivel http, dar să le permiti pe toate la unele niveluri de server?

RU: NginX: как запретить IP на уровне http, но разрешить все на некоторых уровнях сервера?

VI: NginX: Làm cách nào để từ chối IP ở cấp độ http, nhưng cho phép tất cả ở một số cấp độ máy chủ?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.