
Hey, Noticed something odd with my nginx setup recently, and can't debug what's going on, so hoping someone has some ideas. Deny just isn't denying. To test it, I've created a nice simple server block: server { listen [::]:80; server_name test.whatevz.net; access_log /var/log/nginx/test.whatevz.net/access.log; error_log /var/log/nginx/test.whatevz.net/error.log; root /srv/test.whatevz.net/; index index.php; location / { deny all; } } And yet, as you can see for yourself, it serves up index.php happily. I'm really quite stumped and would love some advice for what to do here. I have another nginx setup where I've done the same test, and it denies as expected, so there must be something local in my config causing this. cheers, / Brett

On 26 February 2013 10:22, Brett Pemberton <brett.pemberton@gmail.com>wrote:
server { listen [::]:80;
Depending on how IPV6_V6ONLY is set (default is /proc/sys/net/ipv6/bindv6only and can be changed per application), the above might only be listening for IPv6 connections. So if you are trying to connect to IPv4 you might be connecting to something else. Check with "ss -an" or "netstat -n --tcp -a" and see if there is a separate socket listening for IPv4 connections. If there is only one listener, it is IPv6, and it accepts IPv4 connections, then I am on the wrong track entirely. -- Brian May <brian@microcomaustralia.com.au>

On Tue, Feb 26, 2013 at 10:45 AM, Brian May <brian@microcomaustralia.com.au>wrote:
On 26 February 2013 10:22, Brett Pemberton <brett.pemberton@gmail.com>wrote:
server { listen [::]:80;
Depending on how IPV6_V6ONLY is set (default is /proc/sys/net/ipv6/bindv6only and can be changed per application), the above might only be listening for IPv6 connections.
Yeah, I had a lot of trial and error with that part of nginx, perhaps I left things in a state that isn't quite correct.
So if you are trying to connect to IPv4 you might be connecting to something else.
Check with "ss -an" or "netstat -n --tcp -a" and see if there is a separate socket listening for IPv4 connections.
LISTEN 0 128 :::80 :::* tcp6 0 0 :::80 :::* LISTEN
If there is only one listener, it is IPv6, and it accepts IPv4 connections, then I am on the wrong track entirely.

On Tue, Feb 26, 2013 at 10:45 AM, Brian May <brian@microcomaustralia.com.au>wrote:
On 26 February 2013 10:22, Brett Pemberton <brett.pemberton@gmail.com>wrote:
server { listen [::]:80;
Depending on how IPV6_V6ONLY is set (default is /proc/sys/net/ipv6/bindv6only and can be changed per application), the above might only be listening for IPv6 connections.
To try and eliminate ipv6 as an issue, I created test2.whatevz.net which is just an A record. The nginx server block is identical. Same issue. I'm sure it's hitting that block, because if I issue a 'return 403' after the 'deny all', then as expected you now get a 403. It just doesn't deny without the return afterwards, which breaks other deny sections where I can't do that. / Brett
participants (2)
-
Brett Pemberton
-
Brian May