Mercurial > hg > nginx-site

view xml/en/docs/http/ngx_http_access_module.xml @ 1878:127ae107e5a9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Removed clause about shared memory and Windows versions with ASLR. Starting with nginx 1.9.0 shared memory can be used on Windows versions with address space layout randomization.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 26 Dec 2016 19:38:06 +0300
parents a7974b8d2a23
children 9eadb98ec770
line wrap: on
line source

<?xml version="1.0"?>

<!--
  Copyright (C) Igor Sysoev
  Copyright (C) Nginx, Inc.
  -->

<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">

<module name="Module ngx_http_access_module"
        link="/en/docs/http/ngx_http_access_module.html"
        lang="en"
        rev="4">

<section id="summary">

<para>
The <literal>ngx_http_access_module</literal> module allows
limiting access to certain client addresses.
</para>

<para>
Access can also be limited by
<link doc="ngx_http_auth_basic_module.xml">password</link>, by the
<link doc="ngx_http_auth_request_module.xml">result of subrequest</link>,
or by <link doc="ngx_http_auth_jwt_module.xml">JWT</link>.
Simultaneous limitation of access by address and by password is controlled
by the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive.
</para>

</section>


<section id="example" name="Example Configuration">

<para>
<example>
location / {
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}
</example>
</para>

<para>
The rules are checked in sequence until the first match is found.
In this example, access is allowed only for IPv4 networks
<literal>10.1.1.0/16</literal> and <literal>192.168.1.0/24</literal>
excluding the address <literal>192.168.1.1</literal>,
and for IPv6 network <literal>2001:0db8::/32</literal>.
In case of a lot of rules, the use of the
<link doc="ngx_http_geo_module.xml">ngx_http_geo_module</link>
module variables is preferable.
</para>

</section>


<section id="directives" name="Directives">

<directive name="allow">
<syntax>
    <value>address</value> |
    <value>CIDR</value> |
    <literal>unix:</literal> |
    <literal>all</literal></syntax>
<default/>
<context>http</context>
<context>server</context>
<context>location</context>
<context>limit_except</context>

<para>
Allows access for the specified network or address.
If the special value <literal>unix:</literal> is specified (1.5.1),
allows access for all UNIX-domain sockets.
</para>

</directive>


<directive name="deny">
<syntax>
    <value>address</value> |
    <value>CIDR</value> |
    <literal>unix:</literal> |
    <literal>all</literal></syntax>
<default/>
<context>http</context>
<context>server</context>
<context>location</context>
<context>limit_except</context>

<para>
Denies access for the specified network or address.
If the special value <literal>unix:</literal> is specified (1.5.1),
denies access for all UNIX-domain sockets.
</para>

</directive>

</section>

</module>