Restrict Access by IP Address Using Nginx- 2 mins
password authentication is not always enough to keep sensitive information secure from prying eyes. Areas such as control panels, PhpMyAdmin and other admin type interfaces should an extra layer of security in a production environment.
Attackers can exploit weak passwords or software vulnerabilities in such areas listed above to gain unauthorised access to cause havoc or steal data.
Enter IP based restriction
For example, if you have a Magento site and its admin area is at
/admin/ (This should always be changed anyway but let’s roll with it for this example.), you should limit the access to it only to your IP or to the IPs of all the administrators. For this purpose, open the corresponding server block — the default server block for Nginx is
server configuration part in
In the above please make sure to replace
10.0.0.2 with your IPs. Similarly, you can allow access for other IPs or even networks by changing the network mask (/24).
Always test your configuration
ALWAYS check your configuration before reloading nginx. ALWAYS!
For such settings to take effect you will have to reload Nginx again with the command:
Now if you try to access the
/admin/ part of your site with a browser outside of the allowed IP address ranges, you will get an error. This error will be 403 Forbidden (unless you have changed this error to 404 Not found). At the same time you will see the error code in the error log with the command:
The access forbidden error will show like this:
sudo tail -f /var/log/nginx/error.log: