Allow only local users in nginx

The listen directive tells the operating system on what interface the web server binds itself. So, when you look at netstat -a after starting nginx, you will see that nginx listens only on 127.0.0.1 IP port 80, which means that the nginx server cannot be reached via any other interface.

Binding to a specific IP address works in a lower level in the actual network stack than the allow / deny directives inside nginx configuration.

This means that you don't need separate allow / deny directives inside your configuration with your use case, because the connections are limited lower in the network stack.

If you specify listen 80; only, and use allow / deny directives, then nginx will send a HTTP error code to the client, tellng that access is denied.

With the listen 127.0.0.1; case, the browser cannot connect to the server at all, because there is no TCP port open for the browser to connect to.

Let's say your network ID is 192.168.1.0, edit your conf file like so:

location / {
  # block one workstation
  deny    192.168.1.1;
  # allow anyone in 192.168.1.0/24
  allow   192.168.1.0/24;
  # drop rest of the world
  deny    all;
}

Please let me know how it works for you.

Edit #1:

Yes, the allow directive is a must according to the Official Nginx wiki. Their example is:

location / {
    allow 192.168.1.1/24;
    allow 127.0.0.1;
    deny 192.168.1.2;
    deny all;
}

I wanted to achieve the same functionality (allow only local users in nginx) and I figured out that I can do something simple like this:

server {
    listen 127.0.0.1:80;

    index index.html index.htm index.nginx-debian.html;

    location = /favicon.ico { access_log off; log_not_found off; }

    location /static/ {
        root /path/to/folder;
    }       

    location / {
        include proxy_params;
    }
}

This config file works fine for me, I am not using any allow directive, but only 127.0.0.1:80, and with that I am able to restrict nginx access to local users only!