Nginx deny/allow IP access to file dynamically - on the fly

Question

I have a directory (/var/www/private/). In this directory are three files (1.txt, 2.txt, 3.txt).

I want to deny access for everyone to this entire directory and the three files, however sometimes I want to grant access to a specific IP and a specific file in that directory.

In a file, "block.conf" I will list the file and IP address that access is granted to. I need nginx to read this file and deny/allow access accordingly (without needing to reload nginx every time the file is changed).

For example in block.conf:

#denies access to all files in private directory
location /private { 
   deny all;
}

#allows below IP access to 2.txt
location /private/2.txt {
   allow 5.3.7.0;
}

#allows below IP addresses access to 1.txt
location /private/1.txt {
   allow 3.5.7.2;
   allow 9.7.2.2
}

The location and IP addresses in block.conf file will be edited frequently with PHP, and I want nginx to deny/allow access accordingly to the file.

I figured this would be easy to implement, but there are some problems:

• nginx reads the block.conf only once on startup, not allowing me to modify access dynamically (without reloading nginx)
• the location directive cannot be in the block.conf file, not allowing me to set access to specific files

If this is not possible with nginx's access mod, then how can I do it? If nginx cannot do it, is there other software that can?

Answer 1

The only way I can think of would be to create a nginx configuration snippet, update it, and have a cron script running as root that would occasionally poll this snippet and reload nginx if it's changed.

Unlike Apache, nginx configuration isn't rebuilt on every request.