When NGINX deny rule is applied?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I have server 80 which contains return and allow/deny directives:



...
server

server_name dev.monitor.domain.ms;
listen 80;

allow 194.***.45;
allow 37.***.130;
deny all;

return 301 https://dev.monitor.domain.ms$request_uri;

...


And another server with listen 443.



So the question here is - why return 301 works here even for IP which doesn't allow to access?



Finally - I really can't connect, so allow/deny works, but...



Example:




$ curl -vL dev.monitor.domain.ms
* About to connect() to dev.monitor.domain.ms port 80 (#0)
...
< HTTP/1.1 301 Moved Permanently
...
< Location: https://dev.monitor.domain.ms/
...
* Issue another request to this URL: 'https://dev.monitor.domain.ms/'
* About to connect() to dev.monitor.domain.ms port 443 (#1)
* Trying 40.***.***.237... Connection timed out
* couldn't connect to host
* Closing connection #1
curl: (7) couldn't connect to host



Same if add allow/deny to http block. So - when and where these restrictions are checked?



ngx_http_access_module documentation doesn't mention anything about this.










share|improve this question

























    up vote
    1
    down vote

    favorite












    I have server 80 which contains return and allow/deny directives:



    ...
    server

    server_name dev.monitor.domain.ms;
    listen 80;

    allow 194.***.45;
    allow 37.***.130;
    deny all;

    return 301 https://dev.monitor.domain.ms$request_uri;

    ...


    And another server with listen 443.



    So the question here is - why return 301 works here even for IP which doesn't allow to access?



    Finally - I really can't connect, so allow/deny works, but...



    Example:




    $ curl -vL dev.monitor.domain.ms
    * About to connect() to dev.monitor.domain.ms port 80 (#0)
    ...
    < HTTP/1.1 301 Moved Permanently
    ...
    < Location: https://dev.monitor.domain.ms/
    ...
    * Issue another request to this URL: 'https://dev.monitor.domain.ms/'
    * About to connect() to dev.monitor.domain.ms port 443 (#1)
    * Trying 40.***.***.237... Connection timed out
    * couldn't connect to host
    * Closing connection #1
    curl: (7) couldn't connect to host



    Same if add allow/deny to http block. So - when and where these restrictions are checked?



    ngx_http_access_module documentation doesn't mention anything about this.










    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I have server 80 which contains return and allow/deny directives:



      ...
      server

      server_name dev.monitor.domain.ms;
      listen 80;

      allow 194.***.45;
      allow 37.***.130;
      deny all;

      return 301 https://dev.monitor.domain.ms$request_uri;

      ...


      And another server with listen 443.



      So the question here is - why return 301 works here even for IP which doesn't allow to access?



      Finally - I really can't connect, so allow/deny works, but...



      Example:




      $ curl -vL dev.monitor.domain.ms
      * About to connect() to dev.monitor.domain.ms port 80 (#0)
      ...
      < HTTP/1.1 301 Moved Permanently
      ...
      < Location: https://dev.monitor.domain.ms/
      ...
      * Issue another request to this URL: 'https://dev.monitor.domain.ms/'
      * About to connect() to dev.monitor.domain.ms port 443 (#1)
      * Trying 40.***.***.237... Connection timed out
      * couldn't connect to host
      * Closing connection #1
      curl: (7) couldn't connect to host



      Same if add allow/deny to http block. So - when and where these restrictions are checked?



      ngx_http_access_module documentation doesn't mention anything about this.










      share|improve this question













      I have server 80 which contains return and allow/deny directives:



      ...
      server

      server_name dev.monitor.domain.ms;
      listen 80;

      allow 194.***.45;
      allow 37.***.130;
      deny all;

      return 301 https://dev.monitor.domain.ms$request_uri;

      ...


      And another server with listen 443.



      So the question here is - why return 301 works here even for IP which doesn't allow to access?



      Finally - I really can't connect, so allow/deny works, but...



      Example:




      $ curl -vL dev.monitor.domain.ms
      * About to connect() to dev.monitor.domain.ms port 80 (#0)
      ...
      < HTTP/1.1 301 Moved Permanently
      ...
      < Location: https://dev.monitor.domain.ms/
      ...
      * Issue another request to this URL: 'https://dev.monitor.domain.ms/'
      * About to connect() to dev.monitor.domain.ms port 443 (#1)
      * Trying 40.***.***.237... Connection timed out
      * couldn't connect to host
      * Closing connection #1
      curl: (7) couldn't connect to host



      Same if add allow/deny to http block. So - when and where these restrictions are checked?



      ngx_http_access_module documentation doesn't mention anything about this.







      nginx






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Sep 26 '17 at 12:45









      setevoy

      4941822




      4941822




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          deny in Nginx is applied to all corresponding locations.

          Since you don't have any location defined, it is not applied.



          Try putting the redirection into a location:



          location / 
          return 301 https://dev.monitor.domain.ms$request_uri;



          But beware, that this will not provide security regarding the host directed to.

          You will still need to check permissions within the HTTPS host.






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f394528%2fwhen-nginx-deny-rule-is-applied%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            deny in Nginx is applied to all corresponding locations.

            Since you don't have any location defined, it is not applied.



            Try putting the redirection into a location:



            location / 
            return 301 https://dev.monitor.domain.ms$request_uri;



            But beware, that this will not provide security regarding the host directed to.

            You will still need to check permissions within the HTTPS host.






            share|improve this answer
























              up vote
              0
              down vote













              deny in Nginx is applied to all corresponding locations.

              Since you don't have any location defined, it is not applied.



              Try putting the redirection into a location:



              location / 
              return 301 https://dev.monitor.domain.ms$request_uri;



              But beware, that this will not provide security regarding the host directed to.

              You will still need to check permissions within the HTTPS host.






              share|improve this answer






















                up vote
                0
                down vote










                up vote
                0
                down vote









                deny in Nginx is applied to all corresponding locations.

                Since you don't have any location defined, it is not applied.



                Try putting the redirection into a location:



                location / 
                return 301 https://dev.monitor.domain.ms$request_uri;



                But beware, that this will not provide security regarding the host directed to.

                You will still need to check permissions within the HTTPS host.






                share|improve this answer












                deny in Nginx is applied to all corresponding locations.

                Since you don't have any location defined, it is not applied.



                Try putting the redirection into a location:



                location / 
                return 301 https://dev.monitor.domain.ms$request_uri;



                But beware, that this will not provide security regarding the host directed to.

                You will still need to check permissions within the HTTPS host.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Sep 26 '17 at 14:39









                Richard Neumann

                488211




                488211



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f394528%2fwhen-nginx-deny-rule-is-applied%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?