How to deny POST to a url in nginx

Question

Some of the SQL-heavy URL on my app (say /members) are being attacked by botnets. So I'd like to disable anybody to post to these URL, while allowing others to GET them.

I tried to make a nested loop like this:

if ($request_uri ~ .*members^)  {

   if ($request_method = POST ) {
         return 444;
     }
}

But nginx does not accept this.

I also tried this directive

location ~ "^/members$" {
    if ($request_method ~ ^(POST)$ ) {       
        return 444;
    }
}

but this one deny GET too.

So left clueless and appreciate your help.

I know. I also tried with request_method = POST. It made no difference. — Jand, Oct 18 '14 at 02:23
if is evil ... See this : https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ — jmcollin92, Jun 21 '16 at 06:27

score 10 · Answer 1 · answered Oct 17 '14 at 21:31

10

Try this:

location ^~ /members {
  limit_except GET {
    deny  all;
  }
}

Deny all requests except GET.

answered Oct 17 '14 at 21:31

Glueon

3,664
2
24
32

This has the same effect as my second config, i.e. denies both GET and POSTs. – Jand Oct 18 '14 at 02:08
6

No it doesn't. Post your **whole** configuration. – Xavier Lucas Oct 18 '14 at 05:32
Works perfectly for me – jmcollin92 Jun 21 '16 at 06:26

How to deny POST to a url in nginx

1 Answers1

Linked