nginx block file extension

NGINX Block File Extension

Sometimes you may need to block certain file types from being requested on your site. It is because malicious bots and scripts send unnecessary requests to websites, just to understand what kind of files they contain, and exploit known vulnerabilities in them. In this article, we will look at how to block file extension in NGINX.

NGINX Block File Extension

Here is how to block file extension in NGINX server.

1. Open NGINX configuration

Open terminal and run the following command to open NGINX configuration file.

$ sudo vi /etc/nginx/nginx.conf

2. Block file extension & types

Let us say you want to block requests to .php URLs on your site. Add the following location block to do so.

location ~ (\.php$) {
    return 404;

In the above code, NGINX will automatically detect requests to .php files and return “404:page not found” response.

You may also return 403:Access Forbidden instead but it tells the bot/hacker that the page exists but they are not allowed, encouraging them to try something else. If you return 404, they won’t know if the page actually exists or not.

location ~ (\.php$) {
    return 403;

Let us say you run a PHP site and want to block requests to .py, .perl, .asp, .jsp extensions which are irrelevant to your site. In such cases update the location block as follows.

location ~ (\.jsp$|\.asp$|\.py$|\.perl$) {
    return 404;

Using the pipe ‘|’ operator, you can combine multiple file extensions at one go.

3. Restart NGINX server

Test NGINX configuration file for errors

$ sudo nginx -t

If you don’t get any error messages, restart NGINX server to apply changes.

$ sudo service nginx restart

That’s it. In this article, we have looked at how to block file extensions using NGINX.

This is a common problem in almost all websites. Hackers will send requests to files with different types of extensions, such as .php, .py, .perl, etc to understand the platform you are using to run your website. Once they understand the file types on your website, they start looking for common weaknesses to exploit them. For example, they might send request for .php files and once your site responds to any of these requested URLs, they will try different attacks to bring down your php website.

The second problem is that even if your website is built on a different platform such as python/ruby, if a bot or hacker requests a .php URL, it will hit your application server. So they can bring down your application server by sending too many such requests and cause denial of service. That is why it is important to block requests to irrelevant file types on your site.

The above steps will help you fix these problems easily. Now, when someone requests an irrelevant file extension on your site, NGINX will deal with it effectively, without allowing the request to hit your application server.

Also read:

How to Deploy React App in NGINX
How to Monitor NGINX Log File using Ngxtop
How to Install Apache Tomcat with NGINX
How to Install OpenOffice in Ubuntu
How to Install KeepAlived in CentOS

Leave a Reply

Your email address will not be published. Required fields are marked *