S A
Home » DevOps » NGINX: How to Block a List of IP Addresses

NGINX: How to Block a List of IP Addresses

Updated: January 19, 2024 By: Guest Contributor Post a comment
Table Of Contents
1 Introduction
2 Understanding NGINX’s Configuration Structure
3 Blocking a Single IP Address
4 Blocking a List of IP Addresses
5 Using an Include File for IP Blacklisting
6 Advanced Blocking Techniques
7 Using GeoIP Modules for Enhanced IP Blocking
8 Testing and Monitoring
9 Mitigating False Positives and Maintaining Access Controls
10 Conclusion

Introduction

As a website administrator or developer, safeguarding your server from unauthorized access is a critical task. One effective measure is to control the traffic to your server, which may involve blocking certain IP addresses that are known to be malicious or spammy. In this tutorial, we will delve into how to blacklist a list of IP addresses using NGINX, one of the most popular web servers in the world.

Understanding NGINX’s Configuration Structure

Before we start modifying NGINX configuration files, it’s important to understand the basic structure. NGINX is managed through a file known as nginx.conf, which is usually found in /etc/nginx/ or /usr/local/nginx/conf/. This file contains directives and settings that define how the server behaves. Within nginx.conf, you can control access by specifying which IP addresses are allowed or denied.

The changes we are going to make should be tested in a safe environment first, to prevent accidentally blocking legitimate traffic or causing service disruptions.

Blocking a Single IP Address

As a start, you will learn how to block a single IP address from accessing your website:

location / {
    deny 192.168.1.100;
    allow all;
}

This code should be added within the server block of your NGINX configuration file. After adding this directive, save the file and test the configuration with nginx -t. If the test is successful, reload NGINX to apply the changes:

systemctl reload nginx

This denies access to the specific IP address, 192.168.1.100, while allowing all other traffic.

Blocking a List of IP Addresses

To block multiple IP addresses, repeat the deny directive for each IP:

location / {
    deny 192.168.1.100;
    deny 192.168.1.101;
    deny 10.0.0.1;
    allow all;
}

After making these additions, save the configuration file, test the changes, and reload NGINX as before.

Using an Include File for IP Blacklisting

For better organization and easier management, you can store all blocked IPs in a separate file and include it in your main NGINX configuration. Create a file named blocked_ips.conf and add each IP address you want to block:

deny 192.168.1.100;
deny 192.168.1.101;
deny 10.0.0.1;

Include this file in the location block of your server configuration.

location / {
    include /etc/nginx/blocked_ips.conf;
    allow all;
}

Remember to replace /etc/nginx/ with the actual path to your include file. Then test and reload NGINX.

Advanced Blocking Techniques

Besides straightforward IP blocking, NGINX offers conditional blocking using variables and the map directive for more complex scenarios. For example, here’s how to block an IP address only if a certain condition, such as a user-agent or a query string, is met.

If you want to block access to users with a specific user-agent, you can do the following:

map $http_user_agent $blocked_agent {
    default 0;
    ~*malicious 1;
}

server {
    if ($blocked_agent) {
        return 403;
    }
}

In this instance, any user-agent that contains the word ‘malicious’ is blocked. The ~* signifies a case-insensitive match.

Similarly, to block based on query strings:

map $args $blocked_args {
    default 0;
    ~*badargument 1;
}

server {
    if ($blocked_args) {
        return 403;
    }
}

The map block will set $blocked_args to 1 if ‘badargument’ is found in the query string. Inside the server block, you can then block the request by returning a 403 Forbidden error.

Using GeoIP Modules for Enhanced IP Blocking

For larger-scale IP management tasks, NGINX’s GeoIP module can come in handy by allowing you to block or allow IPs based on geographical regions. This module is particularly useful to avoid country-based attacks or to adhere to geo-restriction policies.

To use the GeoIP module, first ensure it is installed and enabled in your NGINX setup. You can then define blocks by country in your configuration:

geo $geo_block {
    default 0;
    countries_to_block 1;
}

server {
    if ($geo_block) {
        return 403;
    }
}

Here, countries_to_block would be replaced by actual country codes of the countries you wish to block.

Testing and Monitoring

Remember to monitor your website’s access logs after implementing IP blocks. Not only will this confirm that the intended IPs are being blocked, but it will also allow you to spot any unintentionally blocked traffic. The monitoring will also feed critical information for fine-tuning your IP blocking strategy.

Mitigating False Positives and Maintaining Access Controls

While blocking IPs can enhance security, false positives can occur. To mitigate this, consider using a more granular approach, such as rate limiting instead of outright blocking, or combine blocking with real-time analysis tools. Additionally, maintaining an updated list of blocked IPs and reviewing it regularly will help to avoid any unwarranted access denial.

Conclusion

In conclusion, NGINX offers several methods for blocking individual or lists of IP addresses, from simple single-line deny statements to more complex conditional and geographical blocks. By following the steps in this tutorial and employing prudent monitoring, you can effectively manage access to your web server and enhance your site’s security.

Search tutorials, examples, and resources