How to Put Directory Restrictions in Nginx Web Server

The power of Nginx should never be underestimated. This performant, lightweight, and fast web server application is capable of handling 10,000 connections simultaneously without straining. To accomplish such strides, Nginx makes use of its asynchronous and event-driven architecture for managing new connections.

Some reputable features associated with the Nginx web server include:

  • Its implementation of a reverse proxy server through protocols like IMAP, POP3, HTTPS, HTTP, and SMTP.
  • Web servers like Apache benefit from Nginx’s front-end proxy implementation.
  • An HTTP cache is also a load balancer.

With these features, the drawn functional implementations associated with Nginx can be countless. For instance, the issue of directory restriction is a major challenge to many World Wide Web users and administrators.

When directory access to a web server is not managed properly, a lot of things could go wrong like data loss with system integrity being the final nail to this coffin.

This article will walk us through configuring directory restrictions on Linux systems with Nginx installed.

Problem Statement

For this tutorial to be more practical and relatable, we also need to meet the following requirements:

  • A host machine with the known IP address (192.168.100.3).
  • A remote machine (with Nginx installed) with the known IP address (192.168.100.29).
  • A directory on the remote machine whose access we wish to restrict from all or specific remote machines (via their IP addresses).

On the remote machine with IP 192.168.100.29, we will be working with the following directory structure:

$ ls -l /var/www/html/secrets
$ cat /var/www/html/secrets/secret.txt

Here, we assume that the /var/www/html/secrets directory is our web app’s primary directory.

Nginx Directory Restrictions
Nginx Directory Restrictions

Note that /var/www/html is the directory with the Nginx default loading page. We will try to restrict access to the above-created directory from a host machine with IP address 192.168.100.3.

Restricting Access to Directory in Nginx

Before restricting access to the directory in Nginx, make sure that we can download our file using the wget command.

$ wget http://192.168.100.29/secrets/secret.txt
$ cat secret.txt
Wget Download File
Wget Download File

Now, with your preferred text editor, open your site’s Nginx configuration file:

$ sudo nano /etc/nginx/sites-available/default 

If you have several virtual host configurations for different sites (e.g your_site.com in /etc/nginx/sites-enabled/your_site.conf), you might need to use that file instead:

$ sudo nano /etc/nginx/sites-enabled/your_site.conf 

With the file open, you should be able to trace the server block associated with your web app:

Nginx Virtual Host Configuration
Nginx Virtual Host Configuration

You should also trace the location / {} block within the server block. To restrict access to our directory, we will create the following location block below the above location block:

location /secrets/ {
              deny all;
}
Restrict Directory Access in Nginx
Restrict Directory Access in Nginx

After making changes, restart the Nginx web server.

$ sudo systemctl restart nginx

Let us try to download the file from the restricted directory:

$ wget http://192.168.100.29/secrets/secret.txt
Nginx 403 Forbidden Error
Nginx 403 Forbidden Error

To allow the restriction to only specified IP addresses and deny all other users access, we will change our configuration to resemble the following:

location /var/www/html/secrets {
               allow 192.168.100.3;
               deny all;
}

If you to list more users, add them in the following format:

allow 192.168.100.4;
allow 192.168.100.5;
allow 192.168.100.7;

Again, restart nginx before re-attempting to access the directory.

$ sudo systemctl restart nginx

We can now comfortably put directory restrictions in Nginx. Hope this article guide was helpful. Feel free to leave a comment or feedback.

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.