Nginx – Deny all gets overridden by another location block


location /_private {
    deny    all;

location ~ \.php$ {
    # Workaround PHP vulnerability:
    try_files   $uri =404;

    include /etc/nginx/fastcgi_params;
    keepalive_timeout 0;

    fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_pass    unix:/tmp/php.socket;

I would like to deny access to everything, that's in _private directory.
When I try to access _private/a, I get 403 error, like supposed to. But when I try to access _private/b.php, the deny all part is completely ignored.

Best Answer

Make your /_private location take precedence over the regex match:

location ^~ /_private {

That's it.

The nginx documentation has good information on which location block will apply to a given request. To quote:

  1. Directives with the "=" prefix that match the query exactly. If found, searching stops.
  2. All remaining directives with conventional strings. If this match used the "^~" prefix, searching stops.
  3. Regular expressions, in the order they are defined in the configuration file.
  4. If #3 yielded a match, that result is used. Otherwise, the match from #2 is used.