NGINX restrict IP addresses based on $arg

Question

With nginx how do I restrict to certain IP addresses based on regexp of $args

eg

for https://somewhere.invalid/login the URI location

location /login {
    allow 1.2.3.4;
    deny all;
}

makes sense

but how do I allow /login to all but restrict by IP where $args = "person=super"

eq https://somewhere.invalid/login?person=super

nginx does not allow "allow" statements in "if" blocks.

location /login {
    allow all;
    if ( $args ~ /person=super/ ) {
        allow 1.2.3.4;
        deny all;
    }
}

Does it make any difference if the location block / is a proxy_pass ?

score 0 · Accepted Answer · answered Oct 05 '21 at 10:25

As documentation says allow and deny directives cannot be used in the if context. Allowed contexts are http, server, location and limit_except. However you can achieve the same behavior with two map blocks checking $arg_person and $remote_addr variable values:

map $arg_person $deny {
    super    $checkip;
    # default value will be an empty string
}
map $remote_addr $checkip {
    1.2.3.4  '';
    # you can add other allowed IPs here
    default  1;
}

server {
    ...
    location /login {
        if ($deny) { return 403; }
        ...
    }
}

NGINX restrict IP addresses based on $arg

1 Answers1

Linked