allow without deny

When a configuration block contains allow directive with some IP address or subnet, it most likely should also contain deny all; directive (or it should be enforced somewhere else). Otherwise, there's basically no access limitation.

Bad Example

location / {
      root /var/www/;
      allow 10.0.0.0/8;
      . . .
}

Good Example

location / {
      root /var/www/;
      allow 10.0.0.0/8;
      deny all;
      . . .
}