How to restrict acces to specific friendly URL by IP in Wordpress site?

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to restrict acces to specific friendly URL by IP in Wordpress site?

Joergi
Hi!
I've got a server with nginx and a wordpress website running on it.

On the web-site, I have a wordpress page, i.e. domain.com/secret-page/, that
I want to restrict access to everybody but 1 specific IP address of my other
server.

As this page is not a real physical directory, but just a friendly URL - I
got stuck. I don't have previous experience configuring nginx, but I tried
hard to google the possible solution.

What I tried so far in my website config:
[code]
location ~* ^/secret-page/ {
allow 1.1.1.1;
deny all;
}
[/code]

But this didn't work. It returns 404 error when I try to open this page from
allowed IP. Looks like it tried to find the real file or directory
/secret-page/ rather than return a friendly URL page if I got it right.

Can you help me please?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274314,274314#msg-274314

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

Alex Samad
wouldn't you use

location /secret-page/ {
  deny all
  allow 1.1.1.1/32;
}

a

On 19 May 2017 at 17:24, ohmykot <[hidden email]> wrote:
Hi!
I've got a server with nginx and a wordpress website running on it.

On the web-site, I have a wordpress page, i.e. domain.com/secret-page/, that
I want to restrict access to everybody but 1 specific IP address of my other
server.

As this page is not a real physical directory, but just a friendly URL - I
got stuck. I don't have previous experience configuring nginx, but I tried
hard to google the possible solution.

What I tried so far in my website config:
[code]
location ~* ^/secret-page/ {
allow 1.1.1.1;
deny all;
}
[/code]

But this didn't work. It returns 404 error when I try to open this page from
allowed IP. Looks like it tried to find the real file or directory
/secret-page/ rather than return a friendly URL page if I got it right.

Can you help me please?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274314,274314#msg-274314

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

Igal @ Lucee.org
In reply to this post by Joergi
Hello,

On 5/19/2017 12:24 AM, ohmykot wrote:
What I tried so far in my website config:
[code]
location ~* ^/secret-page/ { 
allow 1.1.1.1; 
deny all; 
}
[/code]

But this didn't work. It returns 404 error when I try to open this page from
allowed IP. Looks like it tried to find the real file or directory
/secret-page/ rather than return a friendly URL page if I got it right.

I assume that you mean rewritten URL when you say Friendly URL?  Please paste your rewrite rule for that location.

But in general I think that you should remove the rewrite rule for that location, and add the following:

Assuming that you mean a secret directory rather than page, add alias or root directive, e.g.
location ~* ^/secret-page/ { 
  
  allow 1.1.1.1; 
  deny all; 

  alias       /path/to/physical/secret-dir/;
}

If it really is a single page then try:

location = /secret-page/ { 

  allow 1.1.1.1; 
  deny all; 

  try_files 	/path/to/physical/file
}

Igal Sapir
Lucee Core Developer
Lucee.org


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

lists@lazygranch.com
In reply to this post by Alex Samad
‎ My experience with deny in nginx is the url isn't hidden. That is I think a crawler will see the "secret" location. Can you set this up for the 444 code, that is no reply?

Rethinking this, I suppose if the webserver has no traversal issues, I guess this would be secure. But it wouldn't surprise me if some bot looks for /secret.


From: Alex Samad
Sent: Friday, May 19, 2017 2:37 PM
To: nginx
Reply To: [hidden email]
Subject: Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

wouldn't you use

location /secret-page/ {
  deny all
  allow 1.1.1.1/32;
}

a

On 19 May 2017 at 17:24, ohmykot <[hidden email]> wrote:
Hi!
I've got a server with nginx and a wordpress website running on it.

On the web-site, I have a wordpress page, i.e. domain.com/secret-page/, that
I want to restrict access to everybody but 1 specific IP address of my other
server.

As this page is not a real physical directory, but just a friendly URL - I
got stuck. I don't have previous experience configuring nginx, but I tried
hard to google the possible solution.

What I tried so far in my website config:
[code]
location ~* ^/secret-page/ {
allow 1.1.1.1;
deny all;
}
[/code]

But this didn't work. It returns 404 error when I try to open this page from
allowed IP. Looks like it tried to find the real file or directory
/secret-page/ rather than return a friendly URL page if I got it right.

Can you help me please?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274314,274314#msg-274314

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx



_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

lists@lazygranch.com
‎I've used this for traversal tests, but my experience is the false positive rate is very high. I ended up writing some rules to filter the test.

https://github.com/wireghoul/dotdotpwn

Sent: Friday, May 19, 2017 3:00 PM
To: nginx
Reply To: [hidden email]
Subject: Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

‎ My experience with deny in nginx is the url isn't hidden. That is I think a crawler will see the "secret" location. Can you set this up for the 444 code, that is no reply?

Rethinking this, I suppose if the webserver has no traversal issues, I guess this would be secure. But it wouldn't surprise me if some bot looks for /secret.


From: Alex Samad
Sent: Friday, May 19, 2017 2:37 PM
To: nginx
Reply To: [hidden email]
Subject: Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

wouldn't you use

location /secret-page/ {
  deny all
  allow 1.1.1.1/32;
}

a

On 19 May 2017 at 17:24, ohmykot <[hidden email]> wrote:
Hi!
I've got a server with nginx and a wordpress website running on it.

On the web-site, I have a wordpress page, i.e. domain.com/secret-page/, that
I want to restrict access to everybody but 1 specific IP address of my other
server.

As this page is not a real physical directory, but just a friendly URL - I
got stuck. I don't have previous experience configuring nginx, but I tried
hard to google the possible solution.

What I tried so far in my website config:
[code]
location ~* ^/secret-page/ {
allow 1.1.1.1;
deny all;
}
[/code]

But this didn't work. It returns 404 error when I try to open this page from
allowed IP. Looks like it tried to find the real file or directory
/secret-page/ rather than return a friendly URL page if I got it right.

Can you help me please?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274314,274314#msg-274314

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx




_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

Alex Samad
In reply to this post by lists@lazygranch.com

On 20 May 2017 at 08:00, <[hidden email]> wrote:
My experience with deny in nginx is the url isn't hidden


So you don't want to just restrict access but you want to send a 404 not found unless they come from a specific ip address.

I think you should be able to ... but my nginx skills are not that good for now.. :)


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

Igal @ Lucee.org
On 5/19/2017 3:14 PM, Alex Samad wrote:

On 20 May 2017 at 08:00, <[hidden email]> wrote:
My experience with deny in nginx is the url isn't hidden

So you don't want to just restrict access but you want to send a 404 not found unless they come from a specific ip address.

"deny" by default will return 403.  if you want to return 404 instead you can do something like the following:

### return 404 for requests to /404.internal
location =  /404.internal { internal; }

### send 403 to /404.internal to return 404 code instead
error_page  403 =404 /404.internal;

Of course, if you have a custom 404 page you can use it instead of the /404.internal, but this is a simple way that doesn't rely on any additional resources.

Igal Sapir
Lucee Core Developer
Lucee.org


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

lists@lazygranch.com
In reply to this post by Alex Samad
Beats me. I thought the 404 is what you get with the deny access. I'm sure my nginx skills are worse than yours. ;-)

At one time I had a long list of deny addresses on nginx, but nginx does some processing before finally denying access. I ended up just doing blanket denials in the firewall, with the assumption that the firewall, being essentially legacy code, is more efficient. 

I use a map to block requests like /usr and other Unix directories. I'm assuming they are looking for installations where the web root is in a poor location. I've also seen /backup. All that crude hacking shows up as 404s. I seriously doubt these jerks hit pay dirt.  

I'm assuming /secret is just a placeholder. I would use a password generator to create a high entropy phrase. (I've been getting blogger referrals that employ the high entropy phrase making them essentially impossible to filter unless you want to block all referrals from blogger. )

From: Alex Samad
Sent: Friday, May 19, 2017 3:14 PM
To: nginx
Reply To: [hidden email]
Subject: Re: How to restrict acces to specific friendly URL by IP in Wordpress site?


On 20 May 2017 at 08:00, <[hidden email]> wrote:
My experience with deny in nginx is the url isn't hidden


So you don't want to just restrict access but you want to send a 404 not found unless they come from a specific ip address.

I think you should be able to ... but my nginx skills are not that good for now.. :)



_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

lists@lazygranch.com
In reply to this post by Igal @ Lucee.org
I would return nothing, that is the 444 code. 

I have scripts that process access.log for 444, then see if they come from locations without eyeballs such as data centers, VPS, etc. The entire IP space then goes in the firewall block. 

Your typical sysadmin on forums rants that I will end up blocking the entire world, but I can go days without seeing a IP that is not from an ISP. That is my blocking list is very effective.

I get about a hundred IPs a day doing mischief, with 99.99% looking to hack WordPress, which I don't even run. Most of the hits report a user agent rev of Firefox that never existed. 

From: Igal @ Lucee.org
Sent: Friday, May 19, 2017 3:20 PM
To: [hidden email]; Alex Samad
Reply To: [hidden email]
Subject: Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

On 5/19/2017 3:14 PM, Alex Samad wrote:

On 20 May 2017 at 08:00, <[hidden email]> wrote:
My experience with deny in nginx is the url isn't hidden

So you don't want to just restrict access but you want to send a 404 not found unless they come from a specific ip address.

"deny" by default will return 403.  if you want to return 404 instead you can do something like the following:

### return 404 for requests to /404.internal
location =  /404.internal { internal; }

### send 403 to /404.internal to return 404 code instead
error_page  403 =404 /404.internal;

Of course, if you have a custom 404 page you can use it instead of the /404.internal, but this is a simple way that doesn't rely on any additional resources.

Igal Sapir
Lucee Core Developer
Lucee.org



_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

Igal @ Lucee.org
On 5/19/2017 3:44 PM, [hidden email] wrote:
I would return nothing, that is the 444 code.

There is no such thing as the "444" code.  It is an arbitrary number that was chosen because it is not used by the http specs.  You might as well use 456, 499, or anything that is not defined.


Igal Sapir
Lucee Core Developer
Lucee.org


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

lists@lazygranch.com

https://httpstatuses.com/444

A non-standard status code used to instruct nginx to close the connection without sending a response to the client, most commonly used to deny malicious or malformed requests.

This status code is not seen by the client, it only appears in nginx log files.





From: Igal @ Lucee.org
Sent: Friday, May 19, 2017 3:47 PM
Subject: Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

On 5/19/2017 3:44 PM, [hidden email] wrote:
I would return nothing, that is the 444 code.

There is no such thing as the "444" code.  It is an arbitrary number that was chosen because it is not used by the http specs.  You might as well use 456, 499, or anything that is not defined.


Igal Sapir
Lucee Core Developer
Lucee.org



_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

Igal @ Lucee.org
On 5/19/2017 4:02 PM, [hidden email] wrote:


A non-standard status code used to instruct nginx to close the connection without sending a response to the client, most commonly used to deny malicious or malformed requests.

This status code is not seen by the client, it only appears in nginx log files.


I stand corrected.  Here's a better reference:
http://nginx.org/en/docs/http/request_processing.html


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

lists@lazygranch.com
‎Well this is interesting. Since this situation should never happen (I think) in real life, should this code be always implemented? Any downsides?
--------

If requests without the “Host” header field should not be allowed, a server that just drops the requests can be defined:

server {
    listen      80;
    server_name "";
    return      444;
}

Here, the server name is set to an empty string that will match requests without the “Host” header field, and a special nginx’s non-standard code 444 is returned that closes the connection.

Since version 0.8.48, this is the default setting for the server name, so theserver_name "" can be omitted. In earlier versions, the machine’s hostname was used as a default server name.‎

From: Igal @ Lucee.org
Sent: Friday, May 19, 2017 4:08 PM
Subject: Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

On 5/19/2017 4:02 PM, [hidden email] wrote:


A non-standard status code used to instruct nginx to close the connection without sending a response to the client, most commonly used to deny malicious or malformed requests.

This status code is not seen by the client, it only appears in nginx log files.


I stand corrected.  Here's a better reference:
http://nginx.org/en/docs/http/request_processing.html



_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

Aleksandar Lazic
In reply to this post by Joergi
Am Fri, 19 May 2017 03:24:43 -0400
schrieb "ohmykot" <[hidden email]>:

> Hi!
> I've got a server with nginx and a wordpress website running on it.

what's the output of nginx -V?

> On the web-site, I have a wordpress page, i.e.
> domain.com/secret-page/, that I want to restrict access to everybody
> but 1 specific IP address of my other server.
>
> As this page is not a real physical directory, but just a friendly
> URL - I got stuck. I don't have previous experience configuring
> nginx, but I tried hard to google the possible solution.
>
> What I tried so far in my website config:
> [code]
> location ~* ^/secret-page/ {
> allow 1.1.1.1;
> deny all;
> }
> [/code]

Where is this code in the nginx conf?

What's in the error log?

Can you try to run the debug log?
http://nginx.org/en/docs/debugging_log.html
An then would be the error log output interesting.

In some distributions is it necessary to run nginx-debug instead of
nginx.


Regards
Aleks
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

Joergi
In reply to this post by Igal @ Lucee.org
Thanks for you answer.

I meant that I need to restrict access to single wordpress page (there is a
secret form there).
/secret-page/ - is a permalink of the page, rewritten URL managed by
wordpress.

To make it work I used general config for wordpress I found on DigitalOcean
guide
server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        root /var/www/html;
        index index.php index.html index.htm;

        server_name your_domain.com;

        location / {
                # try_files $uri $uri/ =404;
                try_files $uri $uri/ /index.php?q=$uri&$args;
        }

        error_page 404 /404.html;

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
                root /usr/share/nginx/html;
        }

        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274314,274368#msg-274368

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

Francis Daly
In reply to this post by Joergi
On Fri, May 19, 2017 at 03:24:43AM -0400, ohmykot wrote:

Hi there,

in nginx, one request is handled in one location, and only the config in
(or inherited into) that location applies.

> On the web-site, I have a wordpress page, i.e. domain.com/secret-page/, that
> I want to restrict access to everybody but 1 specific IP address of my other
> server.

> location ~* ^/secret-page/ {
> allow 1.1.1.1;
> deny all;
> }

If the request is for /secret-page/ and is handled in that location{},
you have no explicit how-to-handle-it configuration, so the default
"serve it from the filesystem" will be used.

Assuming that you want the to be handled just like every other request,
you could add

  try_files $uri $uri/ /index.php?q=$uri&$args;

in the location{}, and it will do what you asked for.

Note: this will restrict a request f or /secret-page/, but not a request
for /index.php?q=/secret-page/

The second one there is possibly functionally equivalent to the first;
if you want to restrict that as well, it would be more work in nginx.


As an aside, it may be clearer to use

  location ^~ /secret-page/

instead of

  location ~* ^/secret-page/

The meanings are not identical, depending on what else is in the config
file and where it is.

http://nginx.org/r/location for the details on what the various squiggles
mean.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

lists@lazygranch.com
If the secret page is on a different subdomain, could it be restricted to one IP?




_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

Francis Daly
On Mon, May 22, 2017 at 04:51:47PM -0700, [hidden email] wrote:

Hi there,

> If the secret page is on a different subdomain, could it be restricted to one IP?

Yes, a separate server{} block could restrict all access to a single
source IP.

You would want to make sure separately that this page is not available
in Wordpress from the first server{}.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...