Restricting access to one controller of an MVC app with Nginx

Question

I have an MVC app where one controller needs to be accessible only from several ips(this controller is an oauth token callback trap - for google/fb api tokens). My conf looks like this:

geo $oauth { default 0; 87.240.156.0/24 1; 87.240.131.0/24 1; } server { listen 80; server_name some.server.name.tld default_server; root /home/user/path; index index.php; location /oauth { deny all; if ($oauth) { rewrite ^(.*)$ /index.php last; } } location / { if ($request_filename !~ "\.(phtml|html|htm|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|xlsx)$") { rewrite ^(.*)$ /index.php last; break; } } location ~ \.php$ { fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi_params; } } 

It works, but does not look right.

The following seems logical to me:

 location /oauth { allow 87.240.156.0/24; deny all; rewrite ^(.*)$ /index.php last; } 

But this way rewrite happens all the time, allow and deny directives are ignored. I don't understand why...

Answer 1

The reason it always rewrites is because the rewrite directive is evaluated during the rewrite phase, which is before the access phase, where allow and deny are evaluated. Their order of appearance in the file does not matter. You can resolve this two ways: either don't use rewrite in location /oauth to send the request to your front controller, or handle the source ip during the rewrite phase. You already do the latter in your working config, but it can be made a little clearer:

geo $oauth_denied { default 1; 87.240.156.0/24 0; 87.240.131.0/24 0; } server { ... location /oauth { if ($oauth_denied) { return 403; } rewrite ^ /index.php last; } ... } 

or:

server { ... # include at server level so they're inherited by locations include fastcgi_params; location /oauth { allow 87.240.156.0/24; deny all; # try_files will change $uri so all the params work try_files /index.php =404; fastcgi_pass unix:/var/run/php5-fpm.sock; } ... }