Set nginx.conf to deny all connections except to certain files or directories

linux nginx web-server httpd

The easiest path would be to start out by denying all access, then only granting access to those directories you want. As ring0 pointed out, you can use the default (default_server in 0.8) flag on the listen directive. However, if you already have a server you want to use as a default for unknown named access to your host, you can also just catch requests without a host header or with your server's ip address with something like this (replacing 1.2.3.4 with your server's ip:

upstream _php {
  server unix:/var/run/php-fpm/php-fpm.sock;
}

server {
  server_name "" 1.2.3.4;

  root /path/to/root;
  index index.php;

  include fastcgi_params;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

  # deny everything that doesn't match another location
  location / { deny all; }

  # allow loading /index.php
  location = / { } # need to allow GET / to internally redirect to /index.php
  location = /index.php { fastcgi_pass _php; }

  # allow access to phpmyadmin
  location /phpmyadmin/ { } # Allow access to static files in /phpmyadmin/
  location ~ ^/phpmyadmin/.*\.php$ { fastcgi_pass _php; } # phpmyadmin php files
}

the fastcgi_params will be inherited by both locations that fastcgi_pass, and only /index.php and /phpmyadmin/ are allowed. I've also added an upstream block for php, which makes it easier should you ever need to add to or change it in the future.


Creative use of the location and deny rules negated in regex, something like:

    location / {
        root   html;
        index  index.html index.htm index.php;
    }

    location ~* !^/(index.(php|html|htm)$)|(phpmyadmin/) {
        deny all;
    }

    location ~ \.php$ {
        root           html;
        fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME /srv/http/nginx/$fastcgi_script_name;
        include        fastcgi_params;
    }

That's untested but you get the idea.

http://wiki.nginx.org/HttpAccessModule

http://wiki.nginx.org/HttpCoreModule#location

Also, this may help you write it:

http://www.regextester.com/


It is easier to declare servers that are called with a domain name, and declare a default server that will include direct-IP accesses.

For instance your domain configuration could be used for, say, mydomain.com

server {
        listen       80;
        server_name  mydomain.com *.mydomain.com;
        root /var/www/html/mydomain.com
        ...

Having your regular files in the directory /var/www/html/mydomain.com.

And the default entry would only allow access to some specific files in a different location.
Note the default keyword after the listen 80.

server {
        listen       80 default;
        server_name  _ *;
        root /var/www/html/restricted
        ...

And you put the default files in /var/www/html/restricted, that will be served for localhost and raw IP addresses.

Related

Restoring an Amazon EBS RAID0 array from snapshots taken with ec2-consistent-snapshot
How Ubuntu cloud version enforces the "no root login" over ssh?
Amazon SES e-mails ending in Yahoo & Hotmail Spam folders, even though SPF and SenderID and DKIM are set correctly
As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a firewall or is iptables sufficient? [closed]
Installing a new 4tb hdd not knowing to go for e.g. ext4 or NTFS as a format, some advice please
How to turn a PDF grayscale in Ubuntu?
KWin: Toggle grayscale KDE destop effect with script
ALT+TAB stops working after a while in Ubuntu 21.04
Does extended support for Ubuntu 14.04 mean it now supports PHP 7.4 or above? [closed]
RZ608 MT7921K Wireless LAN Driver is not supported on ubuntu 18.04
Swappiness on WSL2 gets reset to 60
Disable shift-delete for file deletion