Nginx wp-admin access control

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Nginx wp-admin access control

Lawrence
Greetings All,

To start, I am very much a beginner to nginx and coding. I am a application support engineer, but got very little development skills.
I hope that there is someone out there that can guide me through this maze.

I have searched the web and have seen multiple solutions but none seem to work exactly how I want it to work.

My nginx server setup, I am running and managing the config for nginx from the /etc/nginx/nginx.conf file

I have 5 seperate sites under sites-enabled.
Each site has it's own config file where I have tried to manage and block access to my  two wordpress sites on wp-admin/wp-login.

The site www.atlantic-kids-academy.com and www.hockeysticks4clubs.com are running on wordpress.

The issue I have is that literally thousands of attempts are made on the site everyday trying to access the wp-admin or wp-login

My goal is to have the sites available but the access to all wp admin must be limited.
below are a few of the solutions I found. Non seem to work fully. I assume it is my understanding of nginx configuration.

method #1  -- test unsuccessfully.
URL:
https://graspingtech.com/block-access-wordpress-admin-area-nginx/


location ~ \.php$ {
  location ~ \wp-login.php$ {
    allow 192.168.1.11;
    deny all;
    include fastcgi.conf;
    fastcgi_intercept_errors on;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  }
  include fastcgi.conf;
  fastcgi_intercept_errors on;
  fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}


method #2 -- tested unsuccessfully.
URL
https://websiteforstudents.com/block-access-wordpress-wp-admin-via-nginx-ubuntu-17-04-17-10/


 location ~ ^/(wp-admin|wp-login\.php) {
                try_files $uri $uri/ /index.php?$args;
                index index.html index.htm index.php;
                allow 68.66.XX.111;
                deny all;
                error_page 403 = @wp_admin_ban;
     }
 
    location @wp_admin_ban {
           rewrite ^(.*) https://example.com permanent;
     }
    location /wp-admin/admin-ajax.php {
       allow all;
    }

method #3 -- tested and not fully functional. The issues that I have seen with this are listed below.
it blocks on a countrylevel
when opening the wp-admin page, I am first met with logging into the wordpress itself, and then after am I prompted with the .htpasswd authentication.

Any help / advice would be very much appreciated.

URL:
https://www.openprogrammer.info/2013/07/12/protecting-wp-admin-wp-login-php-nginx/


location ~ ^/(wp-login\.php){
  auth_basic "Administrator Login";
  auth_basic_user_file /home/nginx/domains/yourlocation/private/.htpasswd;
  include /usr/local/nginx/conf/php.conf;
}

location /wp-admin {
  location ~ ^/(wp-admin/admin-ajax\.php) {
    include /usr/local/nginx/conf/php.conf;
  }
  location ~* /wp-admin/.*\.php$ {
    auth_basic "Administrator Login";
    auth_basic_user_file /home/nginx/domains/yourlocation/private/.htpasswd;
    include /usr/local/nginx/conf/php.conf;
  }
}


location ~ .*\.(php|php4|php5|pl|py)?$ {
    location ~ ^/(wp-comments-post\.php$)
       allow all;
       include  /usr/local/nginx/conf/php.conf;
        break;
    }
   #deny all;
   rewrite  ^(.*)$ / redirect;
}

Thanks
Lawrence
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx wp-admin access control

Ian Hobson-3
Hi Lawrence,

I installed WP fail2ban and Wordfence Security (free version).

It doesn't stop them trying, but I run a "3 strikes and you are out for
60 minutes" regime. It means only 3-4 attempts an hour instead of
thousands.

I believe there is a plug in that moves the wp-admin location somewhere
else as well, but I have not bothered.

Regards

Ian

On 15/04/2020 11:52, Lawrence wrote:

> Greetings All,
>
> To start, I am very much a beginner to nginx and coding. I am a
> application support engineer, but got very little development skills.
> I hope that there is someone out there that can guide me through this maze.
>
> I have searched the web and have seen multiple solutions but none seem
> to work exactly how I want it to work.
>
> My nginx server setup, I am running and managing the config for nginx
> from the /etc/nginx/nginx.conf file
>
> I have 5 seperate sites under sites-enabled.
> Each site has it's own config file where I have tried to manage and
> block access to my  two wordpress sites on wp-admin/wp-login.
>
> The site www.atlantic-kids-academy.com and www.hockeysticks4clubs.com
> are running on wordpress.
>
> The issue I have is that literally thousands of attempts are made on the
> site everyday trying to access the wp-admin or wp-login
>
> My goal is to have the sites available but the access to all wp admin
> must be limited.
> below are a few of the solutions I found. Non seem to work fully. I
> assume it is my understanding of nginx configuration.
>
> method #1  -- test unsuccessfully.
> URL:
> https://graspingtech.com/block-access-wordpress-admin-area-nginx/
>
>
> location ~ \.php$ {
>    location ~ \wp-login.php$ {
>      allow 192.168.1.11;
>      deny all;
>      include fastcgi.conf;
>      fastcgi_intercept_errors on;
>      fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>    }
>    include fastcgi.conf;
>    fastcgi_intercept_errors on;
>    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
> }
>
>
> method #2 -- tested unsuccessfully.
> URL
> https://websiteforstudents.com/block-access-wordpress-wp-admin-via-nginx-ubuntu-17-04-17-10/
>
>
>   location ~ ^/(wp-admin|wp-login\.php) {
>                  try_files $uri $uri/ /index.php?$args;
>                  index index.html index.htm index.php;
>                  allow 68.66.XX.111;
>                  deny all;
>                  error_page 403 = @wp_admin_ban;
>       }
>
>      location @wp_admin_ban {
>             rewrite ^(.*) https://example.com permanent;
>       }
>      location /wp-admin/admin-ajax.php {
>         allow all;
>      }
>
> method #3 -- tested and not fully functional. The issues that I have
> seen with this are listed below.
> it blocks on a countrylevel
> when opening the wp-admin page, I am first met with logging into the
> wordpress itself, and then after am I prompted with the .htpasswd
> authentication.
>
> Any help / advice would be very much appreciated.
>
> URL:
> https://www.openprogrammer.info/2013/07/12/protecting-wp-admin-wp-login-php-nginx/
>
>
> location ~ ^/(wp-login\.php){
>    auth_basic "Administrator Login";
>    auth_basic_user_file /home/nginx/domains/yourlocation/private/.htpasswd;
>    include /usr/local/nginx/conf/php.conf;
> }
>
> location /wp-admin {
>    location ~ ^/(wp-admin/admin-ajax\.php) {
>      include /usr/local/nginx/conf/php.conf;
>    }
>    location ~* /wp-admin/.*\.php$ {
>      auth_basic "Administrator Login";
>      auth_basic_user_file
> /home/nginx/domains/yourlocation/private/.htpasswd;
>      include /usr/local/nginx/conf/php.conf;
>    }
> }
>
>
> location ~ .*\.(php|php4|php5|pl|py)?$ {
>      location ~ ^/(wp-comments-post\.php$)
>         allow all;
>         include  /usr/local/nginx/conf/php.conf;
>          break;
>      }
>     #deny all;
>     rewrite  ^(.*)$ / redirect;
> }
>
> Thanks
> Lawrence
>
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
>

--
Ian Hobson
Tel (+351) 910 418 473

--
This email has been checked for viruses by AVG.
https://www.avg.com

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx wp-admin access control

P.V.Anthony
In reply to this post by Lawrence
On 15/4/20 6:52 pm, Lawrence wrote:

> I have 5 seperate sites under sites-enabled.
> Each site has it's own config file where I have tried to manage and
> block access to my  two wordpress sites on wp-admin/wp-login.
>
> The site www.atlantic-kids-academy.com and www.hockeysticks4clubs.com
> are running on wordpress.
>
> The issue I have is that literally thousands of attempts are made on the
> site everyday trying to access the wp-admin or wp-login

Please note that I am not an expert. Just something that I am using
currently and it works for me.

if ( $request_uri = "/something?place=2" ) {
rewrite ^ https://www.example.com${uri}?${args}? last;
}

Please check with others also.

P.V.Anthony


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx wp-admin access control

Francis Daly
In reply to this post by Lawrence
On Wed, Apr 15, 2020 at 12:52:59PM +0200, Lawrence wrote:

Hi there,

> To start, I am very much a beginner to nginx and  coding. I am a application support engineer, but got very little  development skills.

I don't know WordPress; but on the nginx side, what matters is the
request that is made (the url, handled in a "location") and the way that
you want nginx to handle that request.

In nginx (in general), one request is handled in one location;
only the configuration in, or inherited into, that location
matters. Location-matching does not include the request query
string. Inheritance is per directive, and is either by replacement or
not at all. The "*_pass" directives are not inherited; the others are.

There are exceptions to this description, but it is probably a good
enough starting point to understanding the configuration that is needed.

The documentation for any directive X can be found from
http://nginx.org/r/X

> My goal is to have the sites available but the access to all wp admin must be limited.
> below are a few of the solutions I found. Non seem to work fully. I assume it is my understanding of nginx configuration.
>
> method #1  -- test unsuccessfully.

In this case, does "unsuccessful" mean: the php file is not handled
when it should be; or the php file is handled when it should not be; or
something else? In general, it is good to be specific -- what request was
made, what response was returned, and what response was wanted instead.


So, with me not knowing WordPress, your mail and some brief web searching
suggests that you want your nginx to do the following:

* allow any access to any request that ends in ".php", except
* restrict access to the request /wp-login.php and
* restrict access to any php request that starts with /wp-admin/, except
* allow any access to /wp-admin/admin-ajax.php

where "restrict" is to be based on an infrequently-changing list of IP
addresses or address ranges.

And this is in addition to the normal "try_files" config to just get
wordpress working.

Is that an accurate description of the desired request / response
handling mapping?

If so, something like (untested):

===
  include fastcgi.conf; # has fastcgi_param, etc, but not fastcgi_pass
  # Can directly paste the relevant lines here instead

  location / {
    try_files $uri $uri/ /index.php?$args;
  }
  location ~ \.php$ {
    location ~ ^/wp-admin/ {
      allow 192.168.1.0/24;
      deny all;
      fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  }
  location = /wp-login.php {
    allow 192.168.1.0/24;
    deny all;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  }
  location = /wp-admin/admin-ajax.php {
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  }
===

looks like it should work. There are other ways to arrange things,
and there is repetition here of the "allow" list; it may be simpler to
maintain that list twice than to use another "include" file.

If you are happy to test and report what fails, then it should be possible
to end up with a suitable config.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx wp-admin access control

basti-2
I have not follow the entire discussion.

What is the goal to do with wp-admin?

There are several ways to limit access:
- http basic auth
- use a x509 cert to authenticate instead of user/pass
- write a hook plugin to wp_login() to use you own / external login

- just use fail2ban to keep bad guys out
- ...

On 16.04.20 16:46, Francis Daly wrote:

> On Wed, Apr 15, 2020 at 12:52:59PM +0200, Lawrence wrote:
>
> Hi there,
>
>> To start, I am very much a beginner to nginx and  coding. I am a application support engineer, but got very little  development skills.
>
> I don't know WordPress; but on the nginx side, what matters is the
> request that is made (the url, handled in a "location") and the way that
> you want nginx to handle that request.
>
> In nginx (in general), one request is handled in one location;
> only the configuration in, or inherited into, that location
> matters. Location-matching does not include the request query
> string. Inheritance is per directive, and is either by replacement or
> not at all. The "*_pass" directives are not inherited; the others are.
>
> There are exceptions to this description, but it is probably a good
> enough starting point to understanding the configuration that is needed.
>
> The documentation for any directive X can be found from
> http://nginx.org/r/X
>
>> My goal is to have the sites available but the access to all wp admin must be limited.
>> below are a few of the solutions I found. Non seem to work fully. I assume it is my understanding of nginx configuration.
>>
>> method #1  -- test unsuccessfully.
>
> In this case, does "unsuccessful" mean: the php file is not handled
> when it should be; or the php file is handled when it should not be; or
> something else? In general, it is good to be specific -- what request was
> made, what response was returned, and what response was wanted instead.
>
>
> So, with me not knowing WordPress, your mail and some brief web searching
> suggests that you want your nginx to do the following:
>
> * allow any access to any request that ends in ".php", except
> * restrict access to the request /wp-login.php and
> * restrict access to any php request that starts with /wp-admin/, except
> * allow any access to /wp-admin/admin-ajax.php
>
> where "restrict" is to be based on an infrequently-changing list of IP
> addresses or address ranges.
>
> And this is in addition to the normal "try_files" config to just get
> wordpress working.
>
> Is that an accurate description of the desired request / response
> handling mapping?
>
> If so, something like (untested):
>
> ===
>   include fastcgi.conf; # has fastcgi_param, etc, but not fastcgi_pass
>   # Can directly paste the relevant lines here instead
>
>   location / {
>     try_files $uri $uri/ /index.php?$args;
>   }
>   location ~ \.php$ {
>     location ~ ^/wp-admin/ {
>       allow 192.168.1.0/24;
>       deny all;
>       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>     }
>     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>   }
>   location = /wp-login.php {
>     allow 192.168.1.0/24;
>     deny all;
>     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>   }
>   location = /wp-admin/admin-ajax.php {
>     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>   }
> ===
>
> looks like it should work. There are other ways to arrange things,
> and there is repetition here of the "allow" list; it may be simpler to
> maintain that list twice than to use another "include" file.
>
> If you are happy to test and report what fails, then it should be possible
> to end up with a suitable config.
>
> Good luck with it,
>
> f
>
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx wp-admin access control

Lawrence
Greetings All,

WOW, thanks for all the suggestions guys. Not many of them are understood, I will try the fail2ban and see how far I get.

Thanks gaian.
Lawrence


From: basti <[hidden email]>
To: <[hidden email]>
Sent: 16/04/2020 4:54 PM
Subject: Re: Nginx wp-admin access control

I have not follow the entire discussion.

What is the goal to do with wp-admin?

There are several ways to limit access:
- http basic auth
- use a x509 cert to authenticate instead of user/pass
- write a hook plugin to wp_login() to use you own / external login

- just use fail2ban to keep bad guys out
- ...

On 16.04.20 16:46, Francis Daly wrote:

> On Wed, Apr 15, 2020 at 12:52:59PM +0200, Lawrence wrote:
>
> Hi there,
>
>> To start, I am very much a beginner to nginx and  coding. I am a application support engineer, but got very little  development skills.
>
> I don't know WordPress; but on the nginx side, what matters is the
> request that is made (the url, handled in a "location") and the way that
> you want nginx to handle that request.
>
> In nginx (in general), one request is handled in one location;
> only the configuration in, or inherited into, that location
> matters. Location-matching does not include the request query
> string. Inheritance is per directive, and is either by replacement or
> not at all. The "*_pass" directives are not inherited; the others are.
>
> There are exceptions to this description, but it is probably a good
> enough starting point to understanding the configuration that is needed.
>
> The documentation for any directive X can be found from
> http://nginx.org/r/X
>
>> My goal is to have the sites available but the access to all wp admin must be limited.
>> below are a few of the solutions I found. Non seem to work fully. I assume it is my understanding of nginx configuration.
>>
>> method #1  -- test unsuccessfully.
>
> In this case, does "unsuccessful" mean: the php file is not handled
> when it should be; or the php file is handled when it should not be; or
> something else? In general, it is good to be specific -- what request was
> made, what response was returned, and what response was wanted instead.
>
>
> So, with me not knowing WordPress, your mail and some brief web searching
> suggests that you want your nginx to do the following:
>
> * allow any access to any request that ends in ".php", except
> * restrict access to the request /wp-login.php and
> * restrict access to any php request that starts with /wp-admin/, except
> * allow any access to /wp-admin/admin-ajax.php
>
> where "restrict" is to be based on an infrequently-changing list of IP
> addresses or address ranges.
>
> And this is in addition to the normal "try_files" config to just get
> wordpress working.
>
> Is that an accurate description of the desired request / response
> handling mapping?
>
> If so, something like (untested):
>
> ===
>   include fastcgi.conf; # has fastcgi_param, etc, but not fastcgi_pass
>   # Can directly paste the relevant lines here instead
>
>   location / {
>     try_files $uri $uri/ /index.php?$args;
>   }
>   location ~ \.php$ {
>     location ~ ^/wp-admin/ {
>       allow 192.168.1.0/24;
>       deny all;
>       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>     }
>     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>   }
>   location = /wp-login.php {
>     allow 192.168.1.0/24;
>     deny all;
>     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>   }
>   location = /wp-admin/admin-ajax.php {
>     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>   }
> ===
>
> looks like it should work. There are other ways to arrange things,
> and there is repetition here of the "allow" list; it may be simpler to
> maintain that list twice than to use another "include" file.
>
> If you are happy to test and report what fails, then it should be possible
> to end up with a suitable config.
>
> Good luck with it,
>
>      f
>
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx wp-admin access control

basti-2
when you use fail2ban have a look on ipset it performe better on large
lists.

Am 16.04.20 um 17:13 schrieb Lawrence:

> Greetings All,
>
> WOW, thanks for all the suggestions guys. Not many of them are
> understood, I will try the fail2ban and see how far I get.
>
> Thanks gaian.
> Lawrence
>
>
> *From: * basti <[hidden email]>
> *To: * <[hidden email]>
> *Sent: * 16/04/2020 4:54 PM
> *Subject: * Re: Nginx wp-admin access control
>
>     I have not follow the entire discussion.
>
>     What is the goal to do with wp-admin?
>
>     There are several ways to limit access:
>     - http basic auth
>     - use a x509 cert to authenticate instead of user/pass
>     - write a hook plugin to wp_login() to use you own / external login
>
>     - just use fail2ban to keep bad guys out
>     - ...
>
>     On 16.04.20 16:46, Francis Daly wrote:
>      > On Wed, Apr 15, 2020 at 12:52:59PM +0200, Lawrence wrote:
>      >
>      > Hi there,
>      >
>      >> To start, I am very much a beginner to nginx and  coding. I am a
>     application support engineer, but got very little  development skills.
>      >
>      > I don't know WordPress; but on the nginx side, what matters is the
>      > request that is made (the url, handled in a "location") and the
>     way that
>      > you want nginx to handle that request.
>      >
>      > In nginx (in general), one request is handled in one location;
>      > only the configuration in, or inherited into, that location
>      > matters. Location-matching does not include the request query
>      > string. Inheritance is per directive, and is either by replacement or
>      > not at all. The "*_pass" directives are not inherited; the others
>     are.
>      >
>      > There are exceptions to this description, but it is probably a good
>      > enough starting point to understanding the configuration that is
>     needed.
>      >
>      > The documentation for any directive X can be found from
>      > http://nginx.org/r/X
>      >
>      >> My goal is to have the sites available but the access to all wp
>     admin must be limited.
>      >> below are a few of the solutions I found. Non seem to work
>     fully. I assume it is my understanding of nginx configuration.
>      >>
>      >> method #1  -- test unsuccessfully.
>      >
>      > In this case, does "unsuccessful" mean: the php file is not handled
>      > when it should be; or the php file is handled when it should not
>     be; or
>      > something else? In general, it is good to be specific -- what
>     request was
>      > made, what response was returned, and what response was wanted
>     instead.
>      >
>      >
>      > So, with me not knowing WordPress, your mail and some brief web
>     searching
>      > suggests that you want your nginx to do the following:
>      >
>      > * allow any access to any request that ends in ".php", except
>      > * restrict access to the request /wp-login.php and
>      > * restrict access to any php request that starts with /wp-admin/,
>     except
>      > * allow any access to /wp-admin/admin-ajax.php
>      >
>      > where "restrict" is to be based on an infrequently-changing list
>     of IP
>      > addresses or address ranges.
>      >
>      > And this is in addition to the normal "try_files" config to just get
>      > wordpress working.
>      >
>      > Is that an accurate description of the desired request / response
>      > handling mapping?
>      >
>      > If so, something like (untested):
>      >
>      > ===
>      >   include fastcgi.conf; # has fastcgi_param, etc, but not
>     fastcgi_pass
>      >   # Can directly paste the relevant lines here instead
>      >
>      >   location / {
>      >     try_files $uri $uri/ /index.php?$args;
>      >   }
>      >   location ~ \.php$ {
>      >     location ~ ^/wp-admin/ {
>      >       allow 192.168.1.0/24;
>      >       deny all;
>      >       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>      >     }
>      >     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>      >   }
>      >   location = /wp-login.php {
>      >     allow 192.168.1.0/24;
>      >     deny all;
>      >     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>      >   }
>      >   location = /wp-admin/admin-ajax.php {
>      >     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>      >   }
>      > ===
>      >
>      > looks like it should work. There are other ways to arrange things,
>      > and there is repetition here of the "allow" list; it may be
>     simpler to
>      > maintain that list twice than to use another "include" file.
>      >
>      > If you are happy to test and report what fails, then it should be
>     possible
>      > to end up with a suitable config.
>      >
>      > Good luck with it,
>      >
>      >      f
>      >
>     _______________________________________________
>     nginx mailing list
>     [hidden email]
>     http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx wp-admin access control

Lawrence
Thanks everyone for the great support.

After many replies I found that nginx did not like the cascading config that was suggested by some. Once I removed that, things seemed to stabilize  and all seems good.

Thanks
Lawrence


From: basti <[hidden email]>
To: <[hidden email]>
Sent: 16/04/2020 6:04 PM
Subject: Re: Nginx wp-admin access control

when you use fail2ban have a look on ipset it performe better on large
lists.

Am 16.04.20 um 17:13 schrieb Lawrence:

> Greetings All,
>
> WOW, thanks for all the suggestions guys. Not many of them are
> understood, I will try the fail2ban and see how far I get.
>
> Thanks gaian.
> Lawrence
>
>
> *From: * basti <[hidden email]>
> *To: * <[hidden email]>
> *Sent: * 16/04/2020 4:54 PM
> *Subject: * Re: Nginx wp-admin access control
>
>     I have not follow the entire discussion.
>
>     What is the goal to do with wp-admin?
>
>     There are several ways to limit access:
>     - http basic auth
>     - use a x509 cert to authenticate instead of user/pass
>     - write a hook plugin to wp_login() to use you own / external login
>
>     - just use fail2ban to keep bad guys out
>     - ...
>
>     On 16.04.20 16:46, Francis Daly wrote:
>      > On Wed, Apr 15, 2020 at 12:52:59PM +0200, Lawrence wrote:
>      >
>      > Hi there,
>      >
>      >> To start, I am very much a beginner to nginx and  coding. I am a
>     application support engineer, but got very little  development skills.
>      >
>      > I don't know WordPress; but on the nginx side, what matters is the
>      > request that is made (the url, handled in a "location") and the
>     way that
>      > you want nginx to handle that request.
>      >
>      > In nginx (in general), one request is handled in one location;
>      > only the configuration in, or inherited into, that location
>      > matters. Location-matching does not include the request query
>      > string. Inheritance is per directive, and is either by replacement or
>      > not at all. The "*_pass" directives are not inherited; the others
>     are.
>      >
>      > There are exceptions to this description, but it is probably a good
>      > enough starting point to understanding the configuration that is
>     needed.
>      >
>      > The documentation for any directive X can be found from
>      > http://nginx.org/r/X
>      >
>      >> My goal is to have the sites available but the access to all wp
>     admin must be limited.
>      >> below are a few of the solutions I found. Non seem to work
>     fully. I assume it is my understanding of nginx configuration.
>      >>
>      >> method #1  -- test unsuccessfully.
>      >
>      > In this case, does "unsuccessful" mean: the php file is not handled
>      > when it should be; or the php file is handled when it should not
>     be; or
>      > something else? In general, it is good to be specific -- what
>     request was
>      > made, what response was returned, and what response was wanted
>     instead.
>      >
>      >
>      > So, with me not knowing WordPress, your mail and some brief web
>     searching
>      > suggests that you want your nginx to do the following:
>      >
>      > * allow any access to any request that ends in ".php", except
>      > * restrict access to the request /wp-login.php and
>      > * restrict access to any php request that starts with /wp-admin/,
>     except
>      > * allow any access to /wp-admin/admin-ajax.php
>      >
>      > where "restrict" is to be based on an infrequently-changing list
>     of IP
>      > addresses or address ranges.
>      >
>      > And this is in addition to the normal "try_files" config to just get
>      > wordpress working.
>      >
>      > Is that an accurate description of the desired request / response
>      > handling mapping?
>      >
>      > If so, something like (untested):
>      >
>      > ===
>      >   include fastcgi.conf; # has fastcgi_param, etc, but not
>     fastcgi_pass
>      >   # Can directly paste the relevant lines here instead
>      >
>      >   location / {
>      >     try_files $uri $uri/ /index.php?$args;
>      >   }
>      >   location ~ \.php$ {
>      >     location ~ ^/wp-admin/ {
>      >       allow 192.168.1.0/24;
>      >       deny all;
>      >       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>      >     }
>      >     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>      >   }
>      >   location = /wp-login.php {
>      >     allow 192.168.1.0/24;
>      >     deny all;
>      >     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>      >   }
>      >   location = /wp-admin/admin-ajax.php {
>      >     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>      >   }
>      > ===
>      >
>      > looks like it should work. There are other ways to arrange things,
>      > and there is repetition here of the "allow" list; it may be
>     simpler to
>      > maintain that list twice than to use another "include" file.
>      >
>      > If you are happy to test and report what fails, then it should be
>     possible
>      > to end up with a suitable config.
>      >
>      > Good luck with it,
>      >
>      >      f
>      >
>     _______________________________________________
>     nginx mailing list
>     [hidden email]
>     http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx wp-admin access control

P.V.Anthony
On 22/4/20 4:43 pm, Lawrence wrote:
> Thanks everyone for the great support.
>
> After many replies I found that nginx did not like the cascading config
> that was suggested by some. Once I removed that, things seemed to
> stabilize  and all seems good.

Please share the final working config. If you do not mind.

P.V.Anthony
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx