Reputation: 1081
Nginx location to restrict by IP returning 404
I have a file and a directory, both located inside of document root, that I need to restrict access to based on the requesting IP address. Here is the location configuration I have set up (actual paths and IPs swapped for sample ones):
server {
server_name example.com;
location ~* /(file.php|directory) {
allow 1.1.1.10;
allow 2.2.2.11;
deny all;
}
}
My Nginx instance is behind CloudFlare, so I've set up the following rules inside the http block of my Nginx config:
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
real_ip_header CF-Connecting-IP;
My access log shows that the IP address is being set properly based on that configuration.
The Nginx instance is being used as a load balancer, handing off requests to a set of Apache servers upstream. That upstream works properly, using the following location configuration:
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;
proxy_set_header CF-Ipcountry $http_cf_ipcountry;
proxy_set_header CF-Ray $http_cf_ray;
proxy_set_header Cf-Visitor $http_cf_visitor;
proxy_pass http://web;
}
My IP restriction location rule is above the location / rule in the config file.
Here's the issue: whenever I make a request to one of the IP-restricted paths, both from an IP that should be permitted as well as a blocked one, I get a 404 response. The requesting IP does not affect this response.
I am expecting a 403 response when requesting from a blocked IP. I have tested this same location configuration on a different server that handles files directly instead of passing them to an upstream and it works as expected, even behind CloudFlare with the same real IP settings.
What else do I need to do for this restriction to work properly?
Upvotes: 2
Views: 4589
Answers (1)
Reputation: 49692
The problem is that you have misunderstood how nginx processes location blocks. See this document for an overview.
You will need to place a proxy_pass directive in every location block that needs to perform that function. The proxy_set_header directives can be inherited from the outer block. For example:
server {
server_name example.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;
proxy_set_header CF-Ipcountry $http_cf_ipcountry;
proxy_set_header CF-Ray $http_cf_ray;
proxy_set_header Cf-Visitor $http_cf_visitor;
location ~* /(file.php|directory) {
allow 1.1.1.10;
allow 2.2.2.11;
deny all;
proxy_pass http://web;
}
location / {
proxy_pass http://web;
}
}
Upvotes: 1
Related Questions
- nginx + vault in docker reverse proxy
- Node.js + Nginx - What now?
- How to point many paths to proxy server in nginx
- How to identify realip from two proxies? (nginx)
- Express - req.ip returns 127.0.0.1
- NodeJS + Nginx + Cloudflare
- Ngnix Jsession changed redirection issue
- svn using nginx Commit failed: path not found