To home page

Restricting access to your site with Nginx

IP filtering, password protection, and request blocking — all in one place.

Controlling who can reach what on your server is a fundamental part of running a secure web application. Nginx gives you a solid toolkit for this: simple IP-based rules, HTTP Basic Auth, combined access policies, and more.

Pro-tip

On VPS and dedicated servers you have full control over your Nginx configuration and can apply any of the methods described below.

1. Blocking access to sensitive directories

To prevent direct access to directories like .svn that have no business being public:

location ~ /.svn/ {
    deny all;
}

2. IP-based access control

Use allow and deny to build a whitelist for specific parts of your site:

location /server-status {
    allow 111.111.111.111;
    allow 11.11.11.11;
    deny all;
}

Only the listed IPs get through — everyone else is turned away.

3. Password protection (HTTP Basic Auth)

Need to put a login prompt in front of a private section? This is the straightforward way:

location /admin/ {
    auth_basic "Enter password to access";
    auth_basic_user_file /etc/nginx/basic.auth;
}

4. Combined protection: IP allowlist + password

The satisfy any directive lets a visitor through if they pass either check — trusted IP or valid credentials. Useful when you want your team to get in without a password, but still give access to others who know it:

location /admin/ {
    satisfy any;
    allow 111.111.111.111;
    allow 11.11.11.11;
    deny all;

    auth_basic "Enter password to access";
    auth_basic_user_file /etc/nginx/basic.auth;
}

Our products and services

Web HostingReliable hosting services for websites of any scale.
Order
VPSFlexible cloud infrastructure with full root access.
Order
Dedicated ServersBare metal servers for maximum performance.
Order

5. Return 404 for missing static files

Prevent Nginx from leaking information about your server structure by returning a clean 404 for any static file that doesn't actually exist on disk:

location ~ \.(js|css|png|jpg|gif|swf|ico|pdf|mov|fla|zip|rar)$ {
    try_files $uri =404;
}

6. Redirect based on IP

You can redirect visitors conditionally depending on where their request is coming from:

location / {
    if ($remote_addr != 111.111.111.111) {
        return 301 https://$host$request_uri;
    }
}

Everyone except requests from 111.111.111.111 will be redirected to https://$host$request_uri.

7. Brute force protection with iptables

For an extra layer of defense at the network level, you can use iptables to temporarily block IPs that hammer your server with too many requests:

iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -m state --state NEW \
    -m recent --name bhttp --set
iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -m state --state NEW \
    -m recent --name bhttp --update --seconds 120 \
    --hitcount 360 -j DROP
iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -j ACCEPT

This drops any IP that opens more than 360 new connections within a 120-second window.

Applying your changes

After editing the Nginx config, reload the service to apply your changes without dropping active connections:

systemctl reload nginx
# or
service nginx reload

Help

If you have any questions or need assistance, please contact us through the ticket system — we're always here to help!

Need help?Our engineers will help you free of charge with any question in minutesContact us