access-control: Advanced access control based on variables

Debian/Ubuntu installation

These docs apply to the APT package nginx-module-access-control provided by the GetPageSpeed Extras repository.

1. Configure the APT repository as described in APT repository setup.
2. Install the module:

sudo apt-get update
sudo apt-get install nginx-module-access-control

Show suites and architectures

| Distro   | Suite             | Component   | Architectures   |
|----------|-------------------|-------------|-----------------|
| debian   | bookworm          | main        | amd64, arm64    |
| debian   | bookworm-mainline | main        | amd64, arm64    |
| debian   | trixie            | main        | amd64, arm64    |
| debian   | trixie-mainline   | main        | amd64, arm64    |
| ubuntu   | focal             | main        | amd64, arm64    |
| ubuntu   | focal-mainline    | main        | amd64, arm64    |
| ubuntu   | jammy             | main        | amd64, arm64    |
| ubuntu   | jammy-mainline    | main        | amd64, arm64    |
| ubuntu   | noble             | main        | amd64, arm64    |
| ubuntu   | noble-mainline    | main        | amd64, arm64    |

---

Name

A custom Nginx module for advanced access control based on variables.

Table of Content

• Name
• Status
• Synopsis
• Installation
• Directives
• access
• access_deny_status
• Author
• License

Status

This Nginx module is currently considered experimental. Issues and PRs are welcome if you encounter any problems.

Synopsis

server {
    listen 80;
    server_name example.com;

    # Allow access if $var2 is non-empty and not zero. The allowed request will no longer match the remaining access control rules.
    access allow $var1;

    # Deny access if $var1 is non-empty and not zero
    access deny $var2;

    location / {
        # Your other configurations
    }

    location /restricted {
        # Override deny status code
        access_deny_status 404;

        # Deny access if $var3 is non-empty and not zero
        access deny $var3;
    }
}

Directives

access

Syntax: access [allow|deny] variable;

Default: -

Context: http, server, location

The access directive defines an access control rule based on a variable. The variable is evaluated at runtime, and if it is non-empty and not zero, the rule is considered matched.

allow: Allows access if the condition is met. The allowed request will no longer match the remaining access control rules. deny: Denies access if the condition is met.

access_rules_inherit

Syntax: access_rules_inherit off | before | after;

Default: access_rules_inherit off;

Context: http, server, location

determines whether and how access control rules from previous level are applied in the current configuration context. It accepts three values:

off: do not inherit any access rules from previous level, unless no access directive is defined at the current level. before: apply access rules of previous level before the access rules of current level. after: apply access rules of previous level after the access rules of current level.

access_deny_status

Syntax: access_deny_status code;

Default: access_deny_status 403;

Context: http, server, location

Sets the HTTP status code to return in response when access is denied by a deny rule.