Restrict file and directory access

Apache

To restrict a directory from access by users, deny all users using the Directory directive:

<Directory "/var/www/directory">
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.0/24
    Allow from .core.com
</Directory>

To restrict a file using the File directive:

# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy all
</Files>

To limit the scope of enclosed directives by URL use the Location directive:

<Location /admin>
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.0/24
    Allow from .core.com
</Location>

Nginx

The Apache .htaccess is comparable to the server{} block in Nginx, but Nginx has a much more lightweight approach to parsing configuration, and it will not scan site directories for additional configurations.

To restrict access to multiple directories in one location entry will give a 403 because of the deny all:

...
location ~ /(dir1|dir2|dir3) {
   deny all;
   return 404;
}
...

To allow public access to a /data/public directory and execution of php scripts in it while denying public access to its subdirectories, put the php location in another file called php.conf and include that file in the server block and in the /data/public/ block.

The config:

server {
    location ^~ /data/public/ {
        allow all;
        try_files $uri $uri/ /index.php?args;
        # include to avoid writing it twice..
        include php.conf
    }

    location ^~ /data/ { 
        deny all; 
    }

    # .....
    # Some other config blocks
    # .....

    # This line instead of the php config block to avoid writing the php part twice
    include php.conf
}

And the php.conf file:

location ~ \.php$ {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
     fastcgi_index index.php;
     include fastcgi_params;
}