Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
nginx
GitHub Repository: nginx/nginx.org
 Path: blob/main/xml/en/docs/http/ngx_http_access_module.xml
1 views
1
<?xml version="1.0"?>

2


3
<!--

4
  Copyright (C) Igor Sysoev

5
  Copyright (C) Nginx, Inc.

6
  -->

7


8
<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">

9


10
<module name="Module ngx_http_access_module"

11
        link="/en/docs/http/ngx_http_access_module.html"

12
        lang="en"

13
        rev="5">

14


15
<section id="summary">

16


17
<para>

18
The <literal>ngx_http_access_module</literal> module allows

19
limiting access to certain client addresses.

20
</para>

21


22
<para>

23
Access can also be limited by

24
<link doc="ngx_http_auth_basic_module.xml">password</link>, by the

25
<link doc="ngx_http_auth_request_module.xml">result of subrequest</link>,

26
or by <link doc="ngx_http_auth_jwt_module.xml">JWT</link>.

27
Simultaneous limitation of access by address and by password is controlled

28
by the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive.

29
</para>

30


31
</section>

32


33


34
<section id="example" name="Example Configuration">

35


36
<para>

37
<example>

38
location / {

39
    deny  192.168.1.1;

40
    allow 192.168.1.0/24;

41
    allow 10.1.1.0/16;

42
    allow 2001:0db8::/32;

43
    deny  all;

44
}

45
</example>

46
</para>

47


48
<para>

49
The rules are checked in sequence until the first match is found.

50
In this example, access is allowed only for IPv4 networks

51
<literal>10.1.1.0/16</literal> and <literal>192.168.1.0/24</literal>

52
excluding the address <literal>192.168.1.1</literal>,

53
and for IPv6 network <literal>2001:0db8::/32</literal>.

54
In case of a lot of rules, the use of the

55
<link doc="ngx_http_geo_module.xml">ngx_http_geo_module</link>

56
module variables is preferable.

57
</para>

58


59
</section>

60


61


62
<section id="directives" name="Directives">

63


64
<directive name="allow">

65
<syntax>

66
    <value>address</value> |

67
    <value>CIDR</value> |

68
    <literal>unix:</literal> |

69
    <literal>all</literal></syntax>

70
<default/>

71
<context>http</context>

72
<context>server</context>

73
<context>location</context>

74
<context>limit_except</context>

75


76
<para>

77
Allows access for the specified network or address.

78
If the special value <literal>unix:</literal> is specified (1.5.1),

79
allows access for all UNIX-domain sockets.

80
</para>

81


82
<para>

83
Several <literal>allow</literal> directives can be specified on the same level.

84
These directives are inherited from the previous configuration level

85
if and only if there are no <literal>allow</literal> and

86
<literal>deny</literal> directives defined on the current level.

87
</para>

88


89
</directive>

90


91


92
<directive name="deny">

93
<syntax>

94
    <value>address</value> |

95
    <value>CIDR</value> |

96
    <literal>unix:</literal> |

97
    <literal>all</literal></syntax>

98
<default/>

99
<context>http</context>

100
<context>server</context>

101
<context>location</context>

102
<context>limit_except</context>

103


104
<para>

105
Denies access for the specified network or address.

106
If the special value <literal>unix:</literal> is specified (1.5.1),

107
denies access for all UNIX-domain sockets.

108
</para>

109


110
<para>

111
Several <literal>deny</literal> directives can be specified on the same level.

112
These directives are inherited from the previous configuration level

113
if and only if there are no <literal>allow</literal> and

114
<literal>deny</literal> directives defined on the current level.

115
</para>

116


117
</directive>

118


119
</section>

120


121
</module>

122


123