nginx.conf snippets

Code snippets for nginx.conf configuration files

Blocking

Block IP address

Block single IP address

To block access to a certain IP address from accessing the website (or a directory), use deny.

To block a single IP from accessing the entire website, use deny inside the server {} block directive:

server {
    deny 10.20.30.40;
}

To block a single IP from accessing a certain directory, use deny inside the location {} block directive:

location /mydirectory {
    deny 10.20.30.40;
}

Block multiple IP address

To block access to multiple IP addresses from accessing the website (or a directory), use deny for each IP address.

To block a multiple IP address from accessing the entire website, use deny inside the server {} block directive:

server {
    deny 10.20.30.40;
    deny 20.30.40.50;
    deny 30.40.50.60;
}

To block a single IP from accessing a certain directory, use deny inside the location {} block directive:

location /mydirectory {
    deny 10.20.30.40;
    deny 20.30.40.50;
    deny 30.40.50.60;
}

Block IPv6 address

To block access to a certain IPv6 address, use deny inside the server {} block directive:

server {
    deny fd98:47f0:2e63:83d7:XXXX:XXXX:XXXX:XXXX;
}

Block user-agent

To block a specific user-agent, use the $http_user_agent parameter with the exact user-agent value inside a server {} block directive:

server {
    if ($http_user_agent ~ (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36)) {
        return 403;
    }
}

Matching options for $http_user_agent can be case sensitive or case insensitive:

  • $http_user_agent ~ (user_agent_value_goes_here) is case sensitive. Notice the ~.
  • $http_user_agent ~* (user_agent_value_goes_here) is case insensitive. Notice the ~*.

Deny

Deny access to a directory

To deny access to a specific directory, use deny inside a location {} block directive specifying the directory:

server {
    location /resources {
        deny all;
    }
}

Deny access to a specific file

To deny access to a specific file, ie. /secret.pdf, use deny inside a location {} block directive specifying the directory:

server {
    location /secret.pdf {
        deny all;
        return 404;
    }
}

Prevent

Prevent hotlinking

To prevent hotlinking to static files such as images ( .png, .jpg etc.), update your nginx.conf to return HTTP error code 403 if the referrer is not your own website:

server {
    location ~ .(gif|png|jpe?g)$ {
        valid_referers none blocked mydomain.com *.mydomain.com;
        if ($invalid_referer) {
            return 403;
        }
    }
}

Replace mydomain.com with your own domain.

Prevent hotlinking with exceptions

To prevent hotlinking to any static files such as images ( .png, .jpg etc.) from any domains except yours and Google (for example), use the same approach as above:

server {
    location ~ .(gif|png|jpe?g)$ {
        valid_referers none blocked mydomain.com *.mydomain.com ~\.google\.;

        if ($invalid_referer) {
            return 403;
        }
    }
}

Replace mydomain.com with your own domain.

Force

Force www (redirect non-www to www)

To force a redirect from non-www to www, use the return 301 parameter:

server {
    server_name mydomain.com;
    return 301 $scheme://www.mydomain.com$request_uri;
}

Replace mydomain and .com accordingly.

Force non-www (redirect www to non-www)

To force a redirect from www to non-www, use the return 301 parameter:

server {
    server_name www.mydomain.com;
    return 301 $scheme://mydomain.com$request_uri;
}

Replace mydomain and .com accordingly.

Force HTTPS

To force HTTPS (ie. https://), use the return 301 parameter:

server {
    listen 80;
    server_name mydomain.com;
    return 301 $scheme://mydomain.com$request_uri;
}

Replace mydomain and .com accordingly.

Note that listen 80; is mandatory as you redirect http:// over to https://.

Redirect

Redirect to a new domain

To redirect a domain to a different domain while keeping the URLs intact, use the rewrite parameter inside the server {} block directive:

server {
    server_name mydomain.com;
    rewrite ^ http://myotherdomain.com$request_uri? permanent;
}

Replace mydomain, myotherdomain and .com accordingly.

Redirect to a single page of a new domain

To redirect a domain and all its URLs to a single page of a new domain, use the rewrite parameter inside the server {} block directive:

server {
    server_name mydomain.com;
    rewrite ^ http://myotherdomain.com/mypage permanent;
}

Replace mydomain, myotherdomain, mypage .com accordingly.

Rename

Rename .php to .html

To redirect all website URLs that end with .php to .html, use the rewrite parameter inside the server {} block directive:

server {
    location ~ \.php$ {
        if (!-f $request_filename) {
            rewrite ^(.*)\.php$ $1.html permanent;
        }
    }
}

Remove

Remove extensions (.html, .htm, .php) from URLs

To remove a file extension extension (.html, .htm) from URLs, use the rewrite parameter inside the server {} block directive:

server {
    location / {
        try_files $uri/ $uri.html $uri.php$is_args$query_string;
    }
}

Remove trailing slash

To force website domain URLs to not end with a trailing slash, ie. mydomain.com/about/, use the rewrite parameter to redirect the URL from a URL with ending slash ( mydomain.com/about/) to a URL without an ending slash ( mydomain.com/about).

server { 
    listen 80; 
    server_name mydomain.com;
    rewrite ^/(.*)/$ /$1 permanent; 
}

Replace mydomain and .com accordingly.

Remove trailing slash for specific URL

To remove the trailing slash only for a specific URL, you can use the same rewrite parameter:

server { 
    listen 80; 
    server_name mydomain.com;
    rewrite ^/mypage/$ /mypage permanent; 
}

Replace mydomain, mypage and .com accordingly.