Deny in http {}, get 500 response , how to log this?

Hi All,

I’m using deny to deny some IPs for my server.

http {
deny 192.168.1.123; # this is an example

server {

error_page  403 /error/403.htm;
error_page  404 /error/404.htm;
error_page  502 /error/502.htm;
error_page  503 /error/503.htm;

location = /error/403.htm {
  index 403.htm;
  access_log /var/log/403.log  main;
}

location ~* ^/(data|image)/.*.(php|php5)$ {
  deny all;
}

}

I found that if 192.168.1.123 access my server, due to this ip is
blocked in
http {}, so it will get a 500 response.
And if someone (IP not blocked) try to access my data/*.php, he will get
a
403 response.

And all these 500 and 403 response will be put into my 403.log.

Is it possible to put 500 response to a separate log? Then my 403 log
will
only log these who is trying to access the protected files.

I understand that if I put “deny IP” in to server {}, it will get a 403
response. But I want to deny some IPs on the whole server level.

Thanks

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,265680,265680#msg-265680

Hello!

On Mon, Mar 28, 2016 at 03:54:40AM -0400, meteor8488 wrote:

error_page  403 /error/403.htm;
  deny all;
}

}

I found that if 192.168.1.123 access my server, due to this ip is blocked in
http {}, so it will get a 500 response.
And if someone (IP not blocked) try to access my data/*.php, he will get a
403 response.

And all these 500 and 403 response will be put into my 403.log.

That’s because all of the requests are redirected /error/403.htm
by the error_page directive, and you have logging to 403.log
configured in the corresponding location.

The 500 error code is logged for requests from blocked IPs
because:

  • “deny” rule works in the location /error/403.htm, hence 403
    error is triggered again;

  • you have recursive_error_pages
    (http://nginx.org/r/recursive_error_pages) enabled somewhere in your
    configuration, and your configuration causes redirect loop which
    in turn results in error 500 after 10 iterations.

To resolve the redirect loop, consider using “allow all” in the
location /error/403.htm.

Is it possible to put 500 response to a separate log? Then my 403 log will
only log these who is trying to access the protected files.

Yes. You can configure different error pages for protected files
and the rest of the site, and log them separately. E.g.:

deny 192.168.1.123;

error_page 403 /error/403.nolog.htm;

location = /error/403.htm {
    allow all;
    access_log /path/to/403.log;
}

location = /error/403.nolog.htm {
    allow all;
    alias /error/403.htm;
    access_log off;
}

location /protected/ {
    deny all;
    error_page 403 /error/403.htm;
}

I understand that if I put “deny IP” in to server {}, it will get a 403
response. But I want to deny some IPs on the whole server level.

No, there is no difference between “deny” specified at http{} or
server{} level.


Maxim D.
http://nginx.org/

Maxim D. Wrote:

  access_log /var/log/403.log  main;

And if someone (IP not blocked) try to access my data/*.php, he will
because:
To resolve the redirect loop, consider using “allow all” in the

    access_log off;

http://mailman.nginx.org/mailman/listinfo/nginx
Thanks for your quickly response.
It’s quite clear and easy to understand!
Thanks again

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,265680,265695#msg-265695

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs