Chapter 7. Security Controls

7.0 Introduction

Security is done in layers, and there must be multiple layers to your security model for it to be truly hardened. In this chapter, we go through many different ways to secure your web applications with NGINX. You can use many of these security methods in conjunction with one another to help harden security.

You might notice that this chapter does not touch upon the ModSecurity 3.0 NGINX module, which turns NGINX into a web application firewall (WAF). To learn more about the WAF capabilities, download the ModSecurity 3.0 and NGINX: Quick Start Guide.

Please note, the NGINX ModSecurity WAF for NGINX Plus is transitioning to End-of-Life (EoL) effective March 31, 2024. For more information, please read the “F5 NGINX ModSecurity WAF Is Transitioning to End-of-Life” blog post.

7.1 Access Based on IP Address

Problem

You need to control access based on the IP address of the client.

Solution

Use the HTTP or stream access module to control access to protected resources:

location /admin/ {
  deny 10.0.0.1;
  allow 10.0.0.0/20; 
  allow 2001:0db8::/32;
  deny all;
}

The given location block allows access from any IPv4 address in 10.0.0.0/20 except 10.0.0.1, allows access from IPv6 addresses in the 2001:0db8::/32 subnet, and returns a 403 for requests originating from any other address. The allow and deny directives are valid within the http, server, and location contexts, as well as in the stream and server contexts for TCP/UDP. Rules are ...

Get NGINX Cookbook, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial