Nginx-additional Modules, Limits and restrictions

The following modules allow for regulate access to the documents of your Websites-require users to authenticate, MATC H a set of rules, or simply restrict access to certain visitors.

Auth_basic Module

the auth_basic module enables the Basic authentication functionality. With the-the-directives that it reveals, you can make it to a specific location of your website (or your server) is R Estricted to users, authenticate using a username and password:

location/admin/{
Auth_basic "Admin Control Panel";
Auth_basic_user_file Access/password_file;
}

The first directive, auth_basic , can is set to either a text message usually referred to as or authentication realm . This message was displayed by Web browsers in a Username/password box when a client attempts to access the protected resour CE.

The second one, auth_basic_user_file, defines the path of the password file relative to the directory of the Configuration file. A password file is formed of lines respecting the following syntax: username:password[:comment]. The password must is encrypted with the crypt (3) function, for example, using the htpasswd command-line Utility from Apache.

If you aren ' t too keen on installing Apache in your system just for the sake of the htpasswd tool, your may resort To online tools as there is plenty of them available. Fire up your favorite search engine and type "online htpasswd".

Access

Important directives is brought up by the This module: allow and deny. They let or deny access to a resource for a specific IP address or IP address range. Both directives has the same syntax: Allow IP | CIDR | all, where IP is a IP address, CIDR is a IP address range (CIDR syntax), and all Specifi ES, the directive applies to all clients:

Location {
Allow 127.0.0.1; # Allow local IP address
Deny all; # Deny all other IP addresses
}

Note that rules was processed from Top-down -if Your first instruction was deny all, all possible allow exception s that your place afterwards'll has no effect. The opposite is also true-if-all, all possible deny directives so you place afterwards would have No effect, as you already allowed all IP addresses.

Limit Connections

The mechanism induced by this module are a little more complex than regular ones. It allows define the maximum amount of simultaneous connections to the server for a specific zone.

The first step is to define the zone using the limit_conn_zone directive:

• Directive syntax: limit_conn_zone $variable zone=name:size;
• $variable is the variable that'll be used to differentiate one client from another, typically $binary _remot E_addr -the IP address of the client in binary format (more efficient than ASCII)
• name is a arbitrary name given to the zone
• size is the maximum size allocate to the table storing session states

The following example defines zones based on the client IP addresses:

Limit_conn_zone $binary _remote_addr zone=myzone:10m;

Now so you had defined a zone, you may limit connections using limit_conn:

Limit_conn Zone_name Connection_limit;

When applied to the previous example it becomes:

location/downloads/{
Limit_conn MyZone 1;
}

As a result, requests that share the same $binary _remote_addr is subject to the connection limit (one Simultaneo US connection). If the limit is reached, all additional concurrent requests would be answered with a 503 Service unavailable HTTP Response. If you wish to log client requests that is affected by the limits you have set, enable the limit_conn_log_level Directive and specify the log level (Info | Notice | Warn | error).

Limit Request

In a similar fashion, the limit Request module allows your to limit the amount of requests for a defined zone.

Defining the zone is done via the limit_req_zone directive; Its syntax differs from the Limit zone equivalent directive:

Limit_req_zone $variable zone=name:max_memory_size rate=rate;

The directive parameters is identical, except for the trailing rate: expressed in requests per second (R/S) or requests per minute (r/m). It defines a request rate this would be applied to clients where the zone is enabled. To apply a zone to a location, use the limit_req directive:

Limit_req zone=name Burst=burst [Nodelay];

The burst parameter defines the maximum possible bursts of requests-when the amount of requests received from a Client exceeds the limit defined in the zone, the responses is delayed in a manner so respects the rate so you defin Ed. To a certain extent, only a maximum of burst requests would be accepted simultaneously. Past this limit, Nginx returns a 503 Service unavailable HTTP error response:

Limit_req_zone $binary _remote_addr zone=myzone:10m rate=2r/s;
[...]
location/downloads/{
Limit_req Zone=myzone burst=10;
}

If you wish to log client requests that is affected by the limits we have set, enable the limit_req_log_level D Irective and specify the log level (Info | Notice | Warn | error).

Nginx-additional Modules, Limits and restrictions