Home / server / Questions / 1011021
Accepted
suchislife
Asked: 2020-04-06 10:13:09 +0800 CST

limit_except VS $request_method !~ ^(GET|HEAD|POST)$

  • 772

I have been reading quite a bit about nginx lately and found 2 approaches online. The first appears to work at the server context level and the second is recommended for the location context level.

Question. Is it appropriate to use limit_except at the server context level?

Approach #1 ($request_method) embedded variable

# server context
#
# Disable unwanted HTTP methods
# Most of the time, you need just GET, HEAD & POST HTTP request in your web application.
# Allowing TRACE or DELETE is risky as it can allow Cross-Site Tracking attack and potentially
# allow an attacker to steal the cookie information.
# So we return a 405 Not Allowed if someone is trying to use TRACE, DELETE, PUT, OPTIONS.

if ($request_method !~ ^(GET|HEAD|POST)$ ) {

  return 405;

}

Approach #2 (limit_except) method

# Limits allowed HTTP methods inside a location.
. . .

location /restricted-write {

    # location context

    limit_except GET HEAD {

        # limit_except context

        allow 192.168.1.1/24;
        deny all;
    }
}
nginx php-fpm

2 Answers

  1. Best Answer

    No, you cannot use limit_except at the server context level. It is only valid within a location context, per the ngx_http_core_module documentation:

    Syntax: limit_except method ... { ... }

    Default:

    Context: location

    Approach #1 is the workaround/alternative for similar functionality, with the caveat that your example will give a HTTP status 405 response, instead of the 403 status that limit_except will respond with.

    • 2

  2. Approach #2 can be shortened to

    limit_except GET {
}

    HEAD will be allowed as per http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except

    • 0