Nginx is a robust and secure web server widely used to power websites and web applications. However, direct IP access to the server can pose significant security risks if left unblocked. This guide provides step-by-step instructions on how to effectively block direct IP access, ensuring your Nginx web server is safeguarded against unauthorized access and potential security breaches.
For example, suppose your website, itsmeit.co, has the IP address 134.24.149.46. When users enter 134.24.149.46 directly into their browser, they can still access your website. While this is possible, it poses security risks, especially to DDoS attacks. To improve security and prevent unauthorized IP access, follow the steps below to block direct access by IP address in Nginx.
Nginx Security: Block Direct IP Access
Step 1: Create a New Nginx Configuration File
Log in to your server via SSH and create a new configuration file, for instance block_direct_access_ip.conf.
sudo nano /etc/nginx/sites-available/block_direct_access_ip.conf
Add the following content to the file:
server {
listen 80 default_server;
listen [::]:80;
server_name _;
return 444;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443;
server_name _;
ssl_certificate /etc/nginx/ssl/public.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
return 444;
}
Explanation:
- The configuration listens on both HTTP and HTTPS ports and blocks any direct access by IP address by returning the HTTP status code
444(which Nginx uses to terminate the connection without responding). - The configuration also sets up SSL, ensuring that even HTTPS access is blocked unless it’s via the official domain.
Step 2: Generate SSL Certificates for HTTPS Authentication
For the above configuration to work properly, you need to have SSL certificates (public.crt and private.key). If you don’t have SSL certificates, you can generate them using the following command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/private.key -out /etc/nginx/ssl/public.crt
Alternatively, you can use Certbot to automatically generate SSL certificates for your domain. Certbot provides an easy way to configure and manage SSL certificates with Nginx.
Step 3: Link the New Configuration and Restart Nginx
Now, link the new configuration file to Nginx and restart the service to apply the changes:
sudo ln -s /etc/nginx/sites-available/block_direct_access_ip.conf /etc/nginx/sites-enabled/; sudo service nginx restart
Test the Configuration
After applying these changes, try entering your server’s IP address directly into the browser. You should receive an error message instead of being able to access the website. This indicates that the direct IP access has been successfully blocked.
Why This Is Important
Blocking direct IP access is crucial for several reasons:
- Preventing DDoS attacks: By ensuring that your server is only accessible through the official domain, you reduce the chances of DDoS attacks targeting your server via direct IP.
- Protecting sensitive data: With direct IP access blocked, malicious users cannot bypass your domain’s security settings, reducing the chances of data breaches.
- Improving overall security: It adds an additional layer of security by ensuring that your web traffic is always routed through trusted domain names with SSL encryption.
By following these steps, you can effectively block direct IP access to your Nginx web server and enhance your website’s security. Using SSL certificates ensures that your connections are encrypted, protecting data integrity and preventing unauthorized access. Additionally, using tools like Certbot to manage SSL certificates simplifies the process and ensures your server is always up to date with the latest security protocols.
This configuration ensures that your server only accepts requests from the official domain, helping to prevent malicious traffic and securing your server from potential attacks. Regular monitoring and maintaining these configurations are essential for a secure and robust web environment.
