Nginx wp-admin access control

Thu Apr 16 14:54:17 UTC 2020

I have not follow the entire discussion.

What is the goal to do with wp-admin?

There are several ways to limit access:
- http basic auth
- use a x509 cert to authenticate instead of user/pass
- write a hook plugin to wp_login() to use you own / external login

- just use fail2ban to keep bad guys out
- ...

On 16.04.20 16:46, Francis Daly wrote:
> On Wed, Apr 15, 2020 at 12:52:59PM +0200, Lawrence wrote:
> 
> Hi there,
> 
>> To start, I am very much a beginner to nginx and  coding. I am a application support engineer, but got very little  development skills.
> 
> I don't know WordPress; but on the nginx side, what matters is the
> request that is made (the url, handled in a "location") and the way that
> you want nginx to handle that request.
> 
> In nginx (in general), one request is handled in one location;
> only the configuration in, or inherited into, that location
> matters. Location-matching does not include the request query
> string. Inheritance is per directive, and is either by replacement or
> not at all. The "*_pass" directives are not inherited; the others are.
> 
> There are exceptions to this description, but it is probably a good
> enough starting point to understanding the configuration that is needed.
> 
> The documentation for any directive X can be found from
> http://nginx.org/r/X
> 
>> My goal is to have the sites available but the access to all wp admin must be limited.
>> below are a few of the solutions I found. Non seem to work fully. I assume it is my understanding of nginx configuration.
>>
>> method #1  -- test unsuccessfully.
> 
> In this case, does "unsuccessful" mean: the php file is not handled
> when it should be; or the php file is handled when it should not be; or
> something else? In general, it is good to be specific -- what request was
> made, what response was returned, and what response was wanted instead.
> 
> 
> So, with me not knowing WordPress, your mail and some brief web searching
> suggests that you want your nginx to do the following:
> 
> * allow any access to any request that ends in ".php", except
> * restrict access to the request /wp-login.php and
> * restrict access to any php request that starts with /wp-admin/, except
> * allow any access to /wp-admin/admin-ajax.php
> 
> where "restrict" is to be based on an infrequently-changing list of IP
> addresses or address ranges.
> 
> And this is in addition to the normal "try_files" config to just get
> wordpress working.
> 
> Is that an accurate description of the desired request / response
> handling mapping?
> 
> If so, something like (untested):
> 
> ===
>   include fastcgi.conf; # has fastcgi_param, etc, but not fastcgi_pass
>   # Can directly paste the relevant lines here instead
> 
>   location / {
>     try_files $uri $uri/ /index.php?$args;
>   }
>   location ~ \.php$ {
>     location ~ ^/wp-admin/ {
>       allow 192.168.1.0/24;
>       deny all;
>       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>     }
>     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>   }
>   location = /wp-login.php {
>     allow 192.168.1.0/24;
>     deny all;
>     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>   }
>   location = /wp-admin/admin-ajax.php {
>     fastcgi_pass unix:/run/php/php7.0-fpm.sock;
>   }
> ===
> 
> looks like it should work. There are other ways to arrange things,
> and there is repetition here of the "allow" list; it may be simpler to
> maintain that list twice than to use another "include" file.
> 
> If you are happy to test and report what fails, then it should be possible
> to end up with a suitable config.
> 
> Good luck with it,
> 
> 	f
> 