How to block IP and IP range in Nginx

Written in front

Nginx is not just a reverse proxy and load balancing server, it can also provide many powerful functions, such as: current limiting, caching, blacklist and whitelist, grayscale publishing, etc. In previous articles, we have introduced these features provided by Nginx. Friends can go to [Nginx Special Topic] for reference. Today, we will introduce another powerful feature of Nginx: disabling IP and IP range.

Disable IP and IP range

Nginx's ngx_http_access_module module can block the IP or IP segment in the configuration. The syntax is as follows:

deny IP;
deny subnet;
allow IP;
allow subnet;
# block all ips
deny all;
# allow all ips
allow all;

If there is a conflict between rules, the first matching rule will prevail.

Configure and disable IP and IP segments

The following instructions assume that the nginx directory is in /usr/local/nginx/.

First, create a configuration file blockips.conf for blocking IP, then edit this file with vi blockips.conf and enter the IP to be blocked in the file.

deny 1.2.3.4;
deny 91.212.45.0/24;
deny 91.212.65.0/24;

Then save this file, open the nginx.conf file, and add the following line of configuration in the http configuration section:

include blockips.conf;

Save the nginx.conf file, and then test whether the current nginx configuration file is valid:

/usr/local/nginx/sbin/nginx -t

If there is no problem with the configuration, it will output:

the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successful

If there is a problem with the configuration, you need to check where the syntax problem is. If there is no problem, you need to execute the following command to let nginx reload the configuration file.

/usr/local/nginx/sbin/nginx -s reload

Only allow intranet ip

How to ban all external IPs and only allow internal IPs?

The following configuration file

location / {
 # block one workstation
 deny 192.168.1.1;
 # allow anyone in 192.168.1.0/24
 allow 192.168.1.0/24;
 # drop rest of the world
 deny all;
}

In the above configuration, 192.168.1.1 is prohibited, other intranet segments are allowed, and then deny all prohibits all other IPs.

Formatting nginx's 403 page

How to format nginx's 403 page?

First execute the following command:

cd /usr/local/nginx/html
vi error403.html

Then enter the file content of 403, for example:

<html>
<head><title>Error 403 - IP Address Blocked</title></head>
<body>
Your IP Address is blocked. If you this an error, please contact binghe with your IP at [email protected]
</body>
</html>

If SSI is enabled, the blocked client IP address can be displayed in 403, as follows:

Your IP Address is <!--#echo var="REMOTE_ADDR" --> blocked.

Save the error403 file, then open the nginx configuration file vi nginx.conf, and add the following content in the server configuration section.

# redirect server error pages to the static page
 error_page 403 /error403.html;
 location = /error403.html {
     root html;
 }

Then save the configuration file and test whether the configuration file is correct by using the nginx -t command. If correct, load the configuration by using nginx -s reload.

This is the end of this article about how to block IP and IP segments in Nginx. For more information about how to block IP and IP segments in Nginx, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!