Sometimes you may need to block certain URLs from access on your website, if bots and hackers are frequently requesting it even if it does not exist on your website. Since every request to a non-existent URL can hit your application server and increase its load, too many requests to a single URL can bring your server down. In this article, we will look at how to block URL access in NGINX.
NGINX Block URL Access
Here are the steps to block URL access in NGINX.
1. Open NGINX configuration file
Open terminal and run the following command to open NGINX configuration file.
$ sudo vi /etc/nginx/nginx.conf
2. Block URL Access in NGINX
Let us say your website is built on python or ruby and you find that you are receiving too many requests to /wp-login.php which is not present on your website, then add the following location block to your website.
location ~ /wp-login\.php$ { return 404; }
In the above code, NGINX matches requested URL /wp-login.php and returns 404:Page not found response.
You may also return 403:Access forbidden response but it will tell the bot/hacker that the page exists but they are not allowed, encouraging them to try something else.
location ~ /wp-login\.php$ { return 403; }
In both cases, the request will be dealt with by NGINX, without allowing it to hit your application server.
If you want to block multiple URLs such as /wp-login.php and /wp-admin.php then you can use pipe (I) operator to combine them.
location ~ /wp-(login|admin)\.php$ { return 404; }
Similarly, if your website is built on Ruby and you find that it receives too many requests to .php, .py , etc URLs, that are completely irrelevant but increasing server load unnecessarily, then you can block all requests ending with .php, or .jsp , etc as shown.
location ~ (\.php$|\.jsp$|\.asp$|\.perl$) { return 404; }
3. Restart NGINX Server
Run the following command to test NGINX configuration.
$ sudo nginx -t
Restart NGINX server.
$ sudo service nginx restart
That’s it. As you can see it is very easy to Block URL Access in NGINX.
In this article, we have described a simple way to fix a common problem for website administrators. Very often, you’ll find pre-programmed bots sending requests to .php URLs even when your website is not built using PHP. They may also be requesting URLs present in popular website framework just to guess your website’s technology stack. Once they get a response, they start exploiting the framework’s vulnerabilities.
Also, sometimes, they simply flood your website with unnecessary requests, increase server load and bring it down. This can cause denial of service problem.
The above steps will help you fix these problems. Now when someone requests these blocked URLs, NGINX will not allow them to hit your application server and directly return a response on its own, thereby protecting your website.
Also read:
How to Resize Linux Partition Without Data Loss
How to List Directories & Subdirectories in Linux
How to Prevent Cross-Site Scripting in PHP/Apache
Shell Script to Replace Text in File
How to Deploy React App in NGINX
Related posts:
Sreeram has more than 10 years of experience in web development, Python, Linux, SQL and database programming.