Mercurial > hg > nginx-site

view xml/en/docs/http/ngx_http_access_module.xml @ 3043:9eadb98ec770

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Free nginx: removed commercial version documentation.
author Maxim Dounin <mdounin@mdounin.ru>
date Wed, 14 Feb 2024 20:05:49 +0300
parents a7974b8d2a23
children
line wrap: on
line source

<?xml version="1.0"?>

<!--
  Copyright (C) Igor Sysoev
  Copyright (C) Nginx, Inc.
  -->

<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">

<module name="Module ngx_http_access_module"
        link="/en/docs/http/ngx_http_access_module.html"
        lang="en"
        rev="5">

<section id="summary">

<para>
The <literal>ngx_http_access_module</literal> module allows
limiting access to certain client addresses.
</para>

<para>
Access can also be limited by
<link doc="ngx_http_auth_basic_module.xml">password</link> or by the
<link doc="ngx_http_auth_request_module.xml">result of subrequest</link>.
Simultaneous limitation of access by address and by password is controlled
by the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive.
</para>

</section>


<section id="example" name="Example Configuration">

<para>
<example>
location / {
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}
</example>
</para>

<para>
The rules are checked in sequence until the first match is found.
In this example, access is allowed only for IPv4 networks
<literal>10.1.1.0/16</literal> and <literal>192.168.1.0/24</literal>
excluding the address <literal>192.168.1.1</literal>,
and for IPv6 network <literal>2001:0db8::/32</literal>.
In case of a lot of rules, the use of the
<link doc="ngx_http_geo_module.xml">ngx_http_geo_module</link>
module variables is preferable.
</para>

</section>


<section id="directives" name="Directives">

<directive name="allow">
<syntax>
    <value>address</value> |
    <value>CIDR</value> |
    <literal>unix:</literal> |
    <literal>all</literal></syntax>
<default/>
<context>http</context>
<context>server</context>
<context>location</context>
<context>limit_except</context>

<para>
Allows access for the specified network or address.
If the special value <literal>unix:</literal> is specified (1.5.1),
allows access for all UNIX-domain sockets.
</para>

</directive>


<directive name="deny">
<syntax>
    <value>address</value> |
    <value>CIDR</value> |
    <literal>unix:</literal> |
    <literal>all</literal></syntax>
<default/>
<context>http</context>
<context>server</context>
<context>location</context>
<context>limit_except</context>

<para>
Denies access for the specified network or address.
If the special value <literal>unix:</literal> is specified (1.5.1),
denies access for all UNIX-domain sockets.
</para>

</directive>

</section>

</module>