Nginx wp-admin access control

Francis Daly francis at daoine.org
Thu Apr 16 14:46:02 UTC 2020 

On Wed, Apr 15, 2020 at 12:52:59PM +0200, Lawrence wrote:

Hi there,

> To start, I am very much a beginner to nginx and  coding. I am a application support engineer, but got very little  development skills.

I don't know WordPress; but on the nginx side, what matters is the
request that is made (the url, handled in a "location") and the way that
you want nginx to handle that request.

In nginx (in general), one request is handled in one location;
only the configuration in, or inherited into, that location
matters. Location-matching does not include the request query
string. Inheritance is per directive, and is either by replacement or
not at all. The "*_pass" directives are not inherited; the others are.

There are exceptions to this description, but it is probably a good
enough starting point to understanding the configuration that is needed.

The documentation for any directive X can be found from
http://nginx.org/r/X

> My goal is to have the sites available but the access to all wp admin must be limited.
> below are a few of the solutions I found. Non seem to work fully. I assume it is my understanding of nginx configuration.
> 
> method #1  -- test unsuccessfully.

In this case, does "unsuccessful" mean: the php file is not handled
when it should be; or the php file is handled when it should not be; or
something else? In general, it is good to be specific -- what request was
made, what response was returned, and what response was wanted instead.


So, with me not knowing WordPress, your mail and some brief web searching
suggests that you want your nginx to do the following:

* allow any access to any request that ends in ".php", except
* restrict access to the request /wp-login.php and
* restrict access to any php request that starts with /wp-admin/, except
* allow any access to /wp-admin/admin-ajax.php

where "restrict" is to be based on an infrequently-changing list of IP
addresses or address ranges.

And this is in addition to the normal "try_files" config to just get
wordpress working.

Is that an accurate description of the desired request / response
handling mapping?

If so, something like (untested):

===
  include fastcgi.conf; # has fastcgi_param, etc, but not fastcgi_pass
  # Can directly paste the relevant lines here instead

  location / {
    try_files $uri $uri/ /index.php?$args;
  }
  location ~ \.php$ {
    location ~ ^/wp-admin/ {
      allow 192.168.1.0/24;
      deny all;
      fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  }
  location = /wp-login.php {
    allow 192.168.1.0/24;
    deny all;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  }
  location = /wp-admin/admin-ajax.php {
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  }
===

looks like it should work. There are other ways to arrange things,
and there is repetition here of the "allow" list; it may be simpler to
maintain that list twice than to use another "include" file.

If you are happy to test and report what fails, then it should be possible
to end up with a suitable config.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list