Mercurial > hg > nginx-site

view xml/en/docs/http/ngx_http_access_module.xml @ 2846:fdf1464e1977

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Moved banner to the external file to make partial rollout possible. An idea is to have several banners and show them with different probability specified by split directive in the nginx.conf
author Sergey Budnevitch <sb@waeme.net>
date Tue, 10 May 2022 18:07:27 +0400
parents a7974b8d2a23
children 9eadb98ec770
line wrap: on
line source

<?xml version="1.0"?>

<!--
  Copyright (C) Igor Sysoev
  Copyright (C) Nginx, Inc.
  -->

<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">

<module name="Module ngx_http_access_module"
        link="/en/docs/http/ngx_http_access_module.html"
        lang="en"
        rev="4">

<section id="summary">

<para>
The <literal>ngx_http_access_module</literal> module allows
limiting access to certain client addresses.
</para>

<para>
Access can also be limited by
<link doc="ngx_http_auth_basic_module.xml">password</link>, by the
<link doc="ngx_http_auth_request_module.xml">result of subrequest</link>,
or by <link doc="ngx_http_auth_jwt_module.xml">JWT</link>.
Simultaneous limitation of access by address and by password is controlled
by the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive.
</para>

</section>


<section id="example" name="Example Configuration">

<para>
<example>
location / {
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}
</example>
</para>

<para>
The rules are checked in sequence until the first match is found.
In this example, access is allowed only for IPv4 networks
<literal>10.1.1.0/16</literal> and <literal>192.168.1.0/24</literal>
excluding the address <literal>192.168.1.1</literal>,
and for IPv6 network <literal>2001:0db8::/32</literal>.
In case of a lot of rules, the use of the
<link doc="ngx_http_geo_module.xml">ngx_http_geo_module</link>
module variables is preferable.
</para>

</section>


<section id="directives" name="Directives">

<directive name="allow">
<syntax>
    <value>address</value> |
    <value>CIDR</value> |
    <literal>unix:</literal> |
    <literal>all</literal></syntax>
<default/>
<context>http</context>
<context>server</context>
<context>location</context>
<context>limit_except</context>

<para>
Allows access for the specified network or address.
If the special value <literal>unix:</literal> is specified (1.5.1),
allows access for all UNIX-domain sockets.
</para>

</directive>


<directive name="deny">
<syntax>
    <value>address</value> |
    <value>CIDR</value> |
    <literal>unix:</literal> |
    <literal>all</literal></syntax>
<default/>
<context>http</context>
<context>server</context>
<context>location</context>
<context>limit_except</context>

<para>
Denies access for the specified network or address.
If the special value <literal>unix:</literal> is specified (1.5.1),
denies access for all UNIX-domain sockets.
</para>

</directive>

</section>

</module>