With nginx how do I restrict to certain IP addresses based on regexp of $args
eg
for https://somewhere.invalid/login the URI location
location /login {
allow 1.2.3.4;
deny all;
}
makes sense
but how do I allow /login to all but restrict by IP where $args = "person=super"
eq https://somewhere.invalid/login?person=super
nginx does not allow "allow" statements in "if" blocks.
location /login {
allow all;
if ( $args ~ /person=super/ ) {
allow 1.2.3.4;
deny all;
}
}
Does it make any difference if the location block / is a proxy_pass ?
CodePudding user response:
As documentation says allow
and deny
directives cannot be used in the if context. Allowed contexts are http, server, location and limit_except. However you can achieve the same behavior with two map
blocks checking $arg_person
and $remote_addr
variable values:
map $arg_person $deny {
super $checkip;
# default value will be an empty string
}
map $remote_addr $checkip {
1.2.3.4 '';
# you can add other allowed IPs here
default 1;
}
server {
...
location /login {
if ($deny) { return 403; }
...
}
}