Ping a Specific Port

Question

tst

Asked: 2010-05-03 13:55:03 +0800 CST2010-05-03 13:55:03 +0800 CST 2010-05-03 13:55:03 +0800 CST

how to restrict access to directory and subdirs

772

I need to restrict access to any files or subdirs in direstory "testdir". My conf:

...
location ~* ^.+\.(jpg|txt)$ {
            root   /var/www/site;
        }
location /testdir {
        deny all;
        return 404;
        }
...

In my configuration I have no restrictions on /testdir/jpg_or_txt-files. How to do it?

4 Answers

Voted

DavidR. · Answer 1 · 2011-02-09T06:55:50+08:00

DavidR.

2011-02-09T06:55:50+08:002011-02-09T06:55:50+08:00

to restrict access to multiple directories in nginx in one location entry do

...
location ~ /(dir1|dir2|dir3) {
   deny all;
   return 404;
}
...

54

Guillaume Filion · Answer 2 · 2010-05-06T10:31:46+08:00

Guillaume Filion

2010-05-06T10:31:46+08:002010-05-06T10:31:46+08:00

It's because the "root" directive matches before the "deny" directive can be matched. Reverse the order of your directives and it should work:

...
location /testdir {
  deny all;
  return 404;
}
location ~* ^.+\.(jpg|txt)$ {
  root   /var/www/site;
}
...

25

Reinstate Monica 2331977 · Answer 3 · 2013-10-03T04:25:58+08:00

To ensure that the testdir match is chosen instead of the jpg/txt match, use the following locations:

location ^~ /testdir {
  deny all;
  return 404;
}
location ~* ^.+\.(jpg|txt)$ {
  root   /var/www/site;
}

In your example, you have two types of locations. location /testdir is a prefix location, as it has no tilde (~) between location and /testdir.

location ~* ^.+\.(jpg|txt)$ is a regex location (a case-insensitive one, due to the * directly after the tilde). From the nginx documentation:

To find location matching a given request, nginx first checks locations defined using the prefix strings (prefix locations). Among them, the location with the longest matching prefix is selected and remembered. Then regular expressions are checked, in the order of their appearance in the configuration file. The search of regular expressions terminates on the first match, and the corresponding configuration is used. If no match with a regular expression is found then the configuration of the prefix location remembered earlier is used.

The problem here, is that your testdir location is being remembered, but then the jpg/txt location is selected during the regex stage, as it matches. The following note from the documentation is what I based my solution (given above) upon:

If the longest matching prefix location has the “^~” modifier then regular expressions are not checked.

RemyNL · Answer 4 · 2014-09-02T06:32:05+08:00

RemyNL

2014-09-02T06:32:05+08:002014-09-02T06:32:05+08:00

location /foo {
    deny all;
    return 404;
}

This will give you a 403 all the time because of the deny all... When you want the server to give you a 404 just only return a 404... like so:

location /foo {
    return 404;
}

13

how to restrict access to directory and subdirs

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?