Global denial for certain IPs or agents?

Sadaf_N · May 10, 2016, 3:43pm

Hi all,
I’ve got Nginx on a Debian server, hosting two sites (two subdomains of
my
work’s website). I want to limit both, and any future subdomains, to
only
intranet addresses. I also saw access logs this morning from a Chinese
web
spider which I want to block. I know how to do this, but how can I do it
globally? Currently I have to put the rules in each site’s configuration
file, which is duplicating, which I’d like to avoid. I tried adding this
to
the main conf file, but I’m not sure what to put for the “listen” and
other
variables given that this isn’t a server, it’s a rule I want applied to
all
servers. Is this doable? If so, what’s the process? Thanks.

redroot · May 10, 2016, 3:47pm

Hi Alex

this might be an inspiration for your task:

cheers,

mex

Posted at Nginx Forum:

redroot · May 10, 2016, 4:04pm

Thanks. That page says that, to do the actual returning of the 4xx
error,
you must go go your site’s configuration, not the global conf file. Am I
reading that right? Is the easiest way to set my own variable in the
main
conf file, based on IP, then just do a check for that variable in each
site’s file? Or is there another way?

redroot · May 10, 2016, 10:21pm

On Tue, May 10, 2016 at 09:42:26AM -0400, Alex H. wrote:

Hi there,

I know how to do this, but how can I do it
globally? Currently I have to put the rules in each site’s configuration
file, which is duplicating, which I’d like to avoid.

Module ngx_http_access_module says “Context: http, server, location,
limit_except”.

So you can put your allow (and deny) directives at “http” level,
and they will inherit into the appropriate location{} block (unless
overridden elsewhere).

(Or you could block access outside of nginx, by using a firewall or
other network control device.)

f

Francis D. [email protected]

redroot · May 10, 2016, 10:33pm

you could also include one file at all relevant places.

nginx.conf:
server {
# settings for server1
include /path/to/include.file;
}
server {
# settings for server2
include /path/to/include.file;
}

/path/to/include.file:
allow from ip1;
allow from cidr2;
deny all;

Andreas

redroot · May 10, 2016, 4:44pm

Hi Alex,

you can do it that way or use something like this
inside your server {} block:

  allow IP1;
  allow IP2;
  allow IP3;

  deny all;

http://nginx.org/en/docs/http/ngx_http_access_module.html#allow

Posted at Nginx Forum: