When NGINX deny rule is applied?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I have server 80
which contains return
and allow/deny
directives:
...
server
server_name dev.monitor.domain.ms;
listen 80;
allow 194.***.45;
allow 37.***.130;
deny all;
return 301 https://dev.monitor.domain.ms$request_uri;
...
And another server
with listen 443
.
So the question here is - why return 301
works here even for IP which doesn't allow to access?
Finally - I really can't connect, so allow/deny
works, but...
Example:
$ curl -vL dev.monitor.domain.ms
* About to connect() to dev.monitor.domain.ms port 80 (#0)
...
< HTTP/1.1 301 Moved Permanently
...
< Location: https://dev.monitor.domain.ms/
...
* Issue another request to this URL: 'https://dev.monitor.domain.ms/'
* About to connect() to dev.monitor.domain.ms port 443 (#1)
* Trying 40.***.***.237... Connection timed out
* couldn't connect to host
* Closing connection #1
curl: (7) couldn't connect to host
Same if add allow/deny
to http
block. So - when and where these restrictions are checked?
ngx_http_access_module documentation doesn't mention anything about this.
nginx
add a comment |Â
up vote
1
down vote
favorite
I have server 80
which contains return
and allow/deny
directives:
...
server
server_name dev.monitor.domain.ms;
listen 80;
allow 194.***.45;
allow 37.***.130;
deny all;
return 301 https://dev.monitor.domain.ms$request_uri;
...
And another server
with listen 443
.
So the question here is - why return 301
works here even for IP which doesn't allow to access?
Finally - I really can't connect, so allow/deny
works, but...
Example:
$ curl -vL dev.monitor.domain.ms
* About to connect() to dev.monitor.domain.ms port 80 (#0)
...
< HTTP/1.1 301 Moved Permanently
...
< Location: https://dev.monitor.domain.ms/
...
* Issue another request to this URL: 'https://dev.monitor.domain.ms/'
* About to connect() to dev.monitor.domain.ms port 443 (#1)
* Trying 40.***.***.237... Connection timed out
* couldn't connect to host
* Closing connection #1
curl: (7) couldn't connect to host
Same if add allow/deny
to http
block. So - when and where these restrictions are checked?
ngx_http_access_module documentation doesn't mention anything about this.
nginx
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have server 80
which contains return
and allow/deny
directives:
...
server
server_name dev.monitor.domain.ms;
listen 80;
allow 194.***.45;
allow 37.***.130;
deny all;
return 301 https://dev.monitor.domain.ms$request_uri;
...
And another server
with listen 443
.
So the question here is - why return 301
works here even for IP which doesn't allow to access?
Finally - I really can't connect, so allow/deny
works, but...
Example:
$ curl -vL dev.monitor.domain.ms
* About to connect() to dev.monitor.domain.ms port 80 (#0)
...
< HTTP/1.1 301 Moved Permanently
...
< Location: https://dev.monitor.domain.ms/
...
* Issue another request to this URL: 'https://dev.monitor.domain.ms/'
* About to connect() to dev.monitor.domain.ms port 443 (#1)
* Trying 40.***.***.237... Connection timed out
* couldn't connect to host
* Closing connection #1
curl: (7) couldn't connect to host
Same if add allow/deny
to http
block. So - when and where these restrictions are checked?
ngx_http_access_module documentation doesn't mention anything about this.
nginx
I have server 80
which contains return
and allow/deny
directives:
...
server
server_name dev.monitor.domain.ms;
listen 80;
allow 194.***.45;
allow 37.***.130;
deny all;
return 301 https://dev.monitor.domain.ms$request_uri;
...
And another server
with listen 443
.
So the question here is - why return 301
works here even for IP which doesn't allow to access?
Finally - I really can't connect, so allow/deny
works, but...
Example:
$ curl -vL dev.monitor.domain.ms
* About to connect() to dev.monitor.domain.ms port 80 (#0)
...
< HTTP/1.1 301 Moved Permanently
...
< Location: https://dev.monitor.domain.ms/
...
* Issue another request to this URL: 'https://dev.monitor.domain.ms/'
* About to connect() to dev.monitor.domain.ms port 443 (#1)
* Trying 40.***.***.237... Connection timed out
* couldn't connect to host
* Closing connection #1
curl: (7) couldn't connect to host
Same if add allow/deny
to http
block. So - when and where these restrictions are checked?
ngx_http_access_module documentation doesn't mention anything about this.
nginx
nginx
asked Sep 26 '17 at 12:45
setevoy
4941822
4941822
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
deny
in Nginx is applied to all corresponding locations.
Since you don't have any location defined, it is not applied.
Try putting the redirection into a location:
location /
return 301 https://dev.monitor.domain.ms$request_uri;
But beware, that this will not provide security regarding the host directed to.
You will still need to check permissions within the HTTPS host.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
deny
in Nginx is applied to all corresponding locations.
Since you don't have any location defined, it is not applied.
Try putting the redirection into a location:
location /
return 301 https://dev.monitor.domain.ms$request_uri;
But beware, that this will not provide security regarding the host directed to.
You will still need to check permissions within the HTTPS host.
add a comment |Â
up vote
0
down vote
deny
in Nginx is applied to all corresponding locations.
Since you don't have any location defined, it is not applied.
Try putting the redirection into a location:
location /
return 301 https://dev.monitor.domain.ms$request_uri;
But beware, that this will not provide security regarding the host directed to.
You will still need to check permissions within the HTTPS host.
add a comment |Â
up vote
0
down vote
up vote
0
down vote
deny
in Nginx is applied to all corresponding locations.
Since you don't have any location defined, it is not applied.
Try putting the redirection into a location:
location /
return 301 https://dev.monitor.domain.ms$request_uri;
But beware, that this will not provide security regarding the host directed to.
You will still need to check permissions within the HTTPS host.
deny
in Nginx is applied to all corresponding locations.
Since you don't have any location defined, it is not applied.
Try putting the redirection into a location:
location /
return 301 https://dev.monitor.domain.ms$request_uri;
But beware, that this will not provide security regarding the host directed to.
You will still need to check permissions within the HTTPS host.
answered Sep 26 '17 at 14:39
Richard Neumann
488211
488211
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f394528%2fwhen-nginx-deny-rule-is-applied%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password