S A
Home » DevOps » NGINX Access Control: The Complete Guide

NGINX Access Control: The Complete Guide

Updated: January 19, 2024 By: Guest Contributor Post a comment
Table Of Contents
1 Introduction
1.1 Understanding Access Control
2 Basic Access Control with Allow and Deny
3 Password Protecting a Directory
4 Combining IP-based and Password Authentication
5 Restricting Access by HTTP Method
6 Advanced Access Control with GeoIP
7 Securing NGINX with TLS Client Certificate Authentication (Mutual TLS)
8 Conclusion

Introduction

NGINX is a powerful open-source web server that is widely used for delivering web content efficiently. A major component of effectively managing a web server involves access control, which ensures that only authorized users or systems are able to communicate with your website or application. In this article, we will explore the complete guide to implementing access control in NGINX, including basic and advanced configurations, with practical code examples you can apply to your own servers.

Understanding Access Control

Access control in the context of NGINX can be managed through various methods, including IP-based access control lists (ACLs), password-based authentication, and more complex configurations utilizing third-party modules. Before we delve into implementations, it’s crucial to understand that access control helps in protecting sensitive areas of your site, managing traffic, and preventing unauthorized access.

Basic Access Control with Allow and Deny

The most straightforward method of access control in NGINX is the ‘allow’ and ‘deny’ directives. These are usually placed inside the ‘server’ or ‘location’ blocks depending on the specific requirements of the application.

server {
    location /admin {
        allow 192.168.1.100;
        deny all;
        ...
    }
}

The code snippet above specifies that only the IP address 192.168.1.100 is permitted to access the ‘/admin’ page while all other IP addresses are denied. This simplistic yet effective method is great for restricting access to specific parts of your application to trusted sources.

Password Protecting a Directory

Password protecting a directory is another level of access control in NGINX. The ‘auth_basic’ directive is used alongside the ‘auth_basic_user_file’ directive to implement password authentication.

location /protected/ {
    auth_basic "Administrator's Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

The section ensures that a username and password are required to access the ‘/protected/’ directory. The password file (in this case, .htpasswd) stores username:password pairs and can be created using the ‘htpasswd’ utility or by manually encrypting the password using ‘openssl’.

Combining IP-based and Password Authentication

NGINX allows you to combine IP-based and password authentication for layered security. The following example permits access to the IP address 192.168.1.100 without a password, but requires a password for anyone else accessing the same area.

location /mixed-security/ {
    satisfy any;
    
    allow 192.168.1.100;
    deny all;

    auth_basic "Administrator's Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Restricting Access by HTTP Method

It can be important to limit what certain users or IPs can do on your site based on the HTTP method (such as GET, POST, PUT). For example, you might want to restrict POST requests to prevent unauthorized data submission. Here’s how you can achieve that in NGINX configuration:

server {
    location /submit-form {
        if ($request_method !~ ^(GET|HEAD)$) { return 403; }
        ...
    }
}

In the above example, only GET and HEAD requests are allowed for the ‘/submit-form’ endpoint; all others are met with a 403 Forbidden response.

Advanced Access Control with GeoIP

Advanced users of NGINX may choose to implement GeoIP-based access control, which requires compiling NGINX with the ngx_http_geoip_module. Once enabled, you can restrict or allow access based on the geographic location of the visitor.

http {
    geoip_country /usr/share/GeoIP/GeoIP.dat;
    
    map $geoip_country_code $allowed_country {
        default no;
        US      yes;
        CA      yes;
    }

    server {
        if ($allowed_country = no) { return 403; }
        ...
    }
}

With this configuration, only visitors from the United States (US) and Canada (CA) are allowed, and all others receive a 403 Forbidden.

Securing NGINX with TLS Client Certificate Authentication (Mutual TLS)

For environments requiring stringent security measures, mutual TLS can be implemented for access control. This requires clients to present a valid TLS client certificate before gaining access.

server {
    listen 443 ssl;

    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    ssl_client_certificate /etc/nginx/ssl/ca.crt;
    ssl_verify_client on;
    ...
}

This example configures the server to require a client certificate that has been signed by the certificate authority represented by ‘ca.crt’. If the client certificate is not present or invalid, access is denied.

Conclusion

In this article, we have reviewed various methods of access control in NGINX, providing examples from basic to advanced. Proper understanding and implementation of access control is vital for the security and efficiency of your web services. Apply these techniques to bolster the protection of your resources and user data on your NGINX server.

Search tutorials, examples, and resources