Restricting Access
Restricting access means controlling who can access your application, what they can access, and from where.
In NGINX, access restrictions are typically enforced at the edge (before traffic reaches your application), which provides:
- Strong security
- Better performance
- Reduced backend load
Why Access Restriction Is Important (Security Perspective)
Restricting access helps prevent:
- Unauthorized access
- Data leakage
- Brute-force attacks
- Internal admin panel exposure
- Abuse from unknown networks
- Compliance violations
IP-Based Access Control (allow / deny)
Basic IP Restriction
location /admin/ {
allow 192.168.1.0/24;
deny all;
}
| Rule | Meaning |
|---|---|
allow 192.168.1.0/24 | Permit internal network |
deny all | Block everyone else |
- Not suitable for public users
Allow Specific IPs Only
location /secure-api/ {
allow 203.0.113.10;
allow 203.0.113.11;
deny all;
}
Works well for internal services or partners
Restricting Access by Country (GeoIP)
Example: Block All Except One Country
geo $allowed_country {
default no;
BD yes;
}
server {
if ($allowed_country = no) {
return 403;
}
}
- Useful for region-restricted services
- Requires GeoIP database
Authentication-Based Access Control
HTTP Basic Authentication
location /private/ {
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
- Browser prompts for username/password
- Credentials stored in .htpasswd
Simple, Good for internal tools, Not ideal for public apps
Create .htpasswd
htpasswd -c /etc/nginx/.htpasswd admin
Restricting Access Using Request Methods
Example: Allow Only GET & POST
location /api/ {
limit_except GET POST {
deny all;
}
}
Restricting Access Using Headers (API Keys)
location /api/ {
if ($http_x_api_key != "SECRET123") {
return 403;
}
}
Restricting Access by Time (Maintenance Window)
map $time_hour $allowed_time {
default 0;
09 1;
10 1;
11 1;
12 1;
}
server {
if ($allowed_time = 0) {
return 403;
}
}
Useful for admin systems
Restricting Access to Files & Paths
Protect Sensitive Files
location ~* \.(env|log|sql|bak)$ {
deny all;
}
Prevents data leaks
Block Hidden Files
location ~ /\. {
deny all;
}
Protects .git, .env, .htaccess
Restricting Access Using Rate & Connection Limits
Rate Limit Sensitive Paths
location /login {
limit_req zone=login burst=3 nodelay;
}
Connection Limit
limit_conn conn_limit 5;
Prevents brute-force, Stops DoS attacks
Combining Multiple Restrictions (Best Practice)
Secure Admin Panel Example
location /admin/ {
allow 192.168.1.0/24;
deny all;
auth_basic "Admin Area";
auth_basic_user_file /etc/nginx/.htpasswd;
limit_req zone=admin burst=2 nodelay;
}
Security Layers Used
| Layer | Purpose |
|---|---|
| IP restriction | Network trust |
| Auth | Identity |
| Rate limit | Abuse prevention |
Restrict Access Behind Load Balancers
Get Real Client IP
set_real_ip_from 10.0.0.0/8;
real_ip_header X-Forwarded-For;
Prevents bypassing IP rules
Common Security Mistakes
| Mistake | Risk |
|---|---|
| Only using auth | Brute-force risk |
| Only IP restriction | VPN bypass |
Using if incorrectly | Config bugs |
| No HTTPS | Credential theft |
| No logging | Blind attacks |
Logging Restricted Access Attempts
access_log /var/log/nginx/restricted.log main;
error_log /var/log/nginx/restricted_error.log warn;
Helps incident analysis