Two important directives are brought up by this module: allow and deny. They let you allow or deny access to a resource for a specific IP address or IP address range.
Both directives have the same syntax: allow IP | CIDR | unix: | all, where IP is an IP address, CIDR is an IP address range (CIDR syntax), unix: represents all UNIX domain sockets, and all specifies that the directive applies to all clients:
location {
allow 127.0.0.1; # allow local IP address
allow unix:; # allow UNIX domain sockets
deny all; # deny all other IP addresses
}
Note that rules are processed from the top down: if your first instruction is deny all, all possible allow exceptions that you place afterwards will have no effect. The opposite is also true; if you start with allow all, all possible deny directives that you place afterwards will have no effect, as you already allowed all IP addresses.