access_deny_status
The access_deny_status directive sets the HTTP status code returned when access is denied by the access control rules.
Description
The access_deny_status directive is used in the NGINX advanced access control module to specify a particular HTTP status code that should be returned when a deny rule is triggered. By default, this status code is set to 403, which indicates that the server understands the request but refuses to authorize it. However, this directive allows administrators to customize the response code, offering flexibility to configure appropriate responses based on their application logic or requirements.
To use the access_deny_status directive, it can be placed within the http, server, or location contexts. This means that it can define the response status on a global level, specific to a server block, or even narrower within a location block. When a deny rule is matched, NGINX checks the configured deny status code and returns that to the client instead of the default 403, providing a way to better communicate what happened (e.g., using 404 for not found, or 401 for unauthorized access).
It's important to remember that if multiple access control rules are applied, the first matching deny rule will trigger the response with the configured status code. This behavior emphasizes the need for careful structuring of rules to attain the desired control flow.
Config Example
server {
listen 80;
server_name example.com;
location /restricted {
access_deny_status 404;
access deny $var1;
}
}Ensure that access_deny_status is placed correctly within the relevant context (http, server, location); otherwise, it may have no effect.
Changing the status code may affect client-side handling of responses, so test thoroughly to ensure proper behavior.
Be cautious of conflicting access rules that may lead to unexpected results or overridden responses.