Access#

The module controls access to server resources based on client IP addresses or networks. It allows to permit or block specific IPs, IP ranges, or UNIX domain sockets to enhance security by restricting access to sensitive areas of a website or application.

Access can also be restricted by using a password with the Auth Basic module or based on the result of a subrequest with the Auth Request module. To apply both address and password restrictions at the same time, use the satisfy directive.

Configuration Example#

location / {

    deny 192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny all;
}

Rules are evaluated sequentially until a match is found. In this example, access is allowed only for the IPv4 networks 10.1.1.0/16 and 192.168.1.0/24, excluding the specific address 192.168.1.1, and for the IPv6 network 2001:0db8::/32. When there are many rules, it is preferable to use variables from the Geo module.

Directives#

allow#

Syntax	`allow` address \| CIDR \| `unix:` \| `all`;
Default	—
Context	http, server, location, limit_except

Allows access for a specified network or address. The special value all means all client IPs.

Added in version 1.5.1: The special value unix: allows access for any UNIX domain sockets.

deny#

Syntax	`deny` address \| CIDR \| `unix:` \| `all`;
Default	—
Context	http, server, location, limit_except

Denies access for a specified network or address. The special value all means all client IPs.

Added in version 1.5.1: The special value unix: denies access for any UNIX domain sockets.