[FIXED] How to restrict ip access in nginx

Issue

I want to restrict access by IP for specific php file in Nginx reverse_proxy. so in my virtual host path /etc/nginx/sites-available/sub.mydmn.com I have the following configs:

server {
    server_name wwww.sub.mydmn.com sub.mydmn.com;
    root /home/mydmn/;

    access_log off;

    # Static contents
    location ~* ^.+.(png|mp4|jpeg)$ {
        expires max;
    }

    # Limit IP access
    location = /mine.php {
        allow <MyIP_Here>;
        deny all;
        return 404;
    }

    # Dynamic content, forward to Apache
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:8080;
    }
}

# Deny server with IP access!
server {
    listen 80 default_server;
    server_name _;
    location / {
    return 403;
    }
}

But when I start the server, Nginx blocks all IPs for mine.php. What is the problem?

Solution

Nginx chooses a single location block to process a request (see this document). Your location = /mine.php block, not only returns a 403 status if the IP address is denied, but also returns a 404 status if the IP address is allowed. You need the request to be handled by the service on port 8080 if the IP address is allowed.

One solution is to duplicate the statements from the location / block.

For example:

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;

location = /mine.php {
    allow ...;
    deny all;
    proxy_pass http://127.0.0.1:8080;
}
location / {
    proxy_pass http://127.0.0.1:8080;
}

Note that proxy_set_header statements can be moved into the outer block so that they are inherited by both blocks. See this document for details.

Answered By - Richard Smith

Answer Checked By - Marie Seifert (PHPFixing Admin)