How to block requests from specific IP address in Nginx
You may end up to situations where you may have to block requests from specific ip addresses to your website. If you are running your web application with Nginx, then this is for you. There are multiple configuration options available in Nginx to block IP address. Let see couple of options in this article.
Block requests from specific or range of IP Address
The easiest and quickest option is to block an IP is to call the deny
command with IP Address. This blocks all requests from that specific address. Instead of IP address, you can also specify the IP Range with “deny
” command.
location / {
deny 127.0.0.1; # Individual IP Address
deny 1.2.3.0/24; # IP Address range
}
The above code snippet is a standard code sample that you can see everywhere that talks about blocking IP Address in Nginx. But in reality, you may end up blocking huge list of IP Addresses and the above way of approach will become too complicated too soon. In such scenario, the below approach of maintaining a black list would be handy.
Blocking huge list of IP Addresses
1. Create a new file called banned-ip.conf
inside the nginx snippets folder. Usually, “snippets
” folder would be located at the default location where “nginx.conf” file is located. In Ubuntu, the location would be “/etc/nginx/snippets”
2. Add the Ip addresses that you wish to block to that file in the bellow format.
geo $bad_ip {
default 0;
202.72.213.218 1;
another_ip 1;
another_ip 1;
...
...
}
In the above code, default
should be always 0 to allow all requests. All Ip’s that you wish to block should have a number other than zero.
3. Inject the above file in the “http
” block of nginx.conf so that it can be referred in any config file.
include /etc/nginx/snippets/banned-ip.conf;
4. Now, in your application level config file (usually located in “sites-available” folder) add the below code segment to the top of “server
” block to validate the in-coming requests.
location / {
if ($bad_ip) {
return 444;
}
}
5. Reload the nginx configuration to make the changes effective by executing the command
nginx -s reload
That’s it. Now, Nginx will stop all requests from the Ip Address that are referred in banned-ip.conf
If you are trying to protect a WordPress site running behind nginx, you can also refer my earlier article for more details.
Leave a comment