Nginx wp-admin access control
Lawrence
lawrence at begame.nl
Wed Apr 22 08:43:26 UTC 2020
Thanks everyone for the great support.
After many replies I found that nginx did not like the cascading config that was suggested by some. Once I removed that, things seemed to stabilize and all seems good.
Thanks
Lawrence
From: basti <mailinglist at unix-solution.de>
To: <nginx at nginx.org>
Sent: 16/04/2020 6:04 PM
Subject: Re: Nginx wp-admin access control
when you use fail2ban have a look on ipset it performe better on large
lists.
Am 16.04.20 um 17:13 schrieb Lawrence:
> Greetings All,
>
> WOW, thanks for all the suggestions guys. Not many of them are
> understood, I will try the fail2ban and see how far I get.
>
> Thanks gaian.
> Lawrence
>
>
> *From: * basti <mailinglist at unix-solution.de>
> *To: * <nginx at nginx.org>
> *Sent: * 16/04/2020 4:54 PM
> *Subject: * Re: Nginx wp-admin access control
>
> I have not follow the entire discussion.
>
> What is the goal to do with wp-admin?
>
> There are several ways to limit access:
> - http basic auth
> - use a x509 cert to authenticate instead of user/pass
> - write a hook plugin to wp_login() to use you own / external login
>
> - just use fail2ban to keep bad guys out
> - ...
>
> On 16.04.20 16:46, Francis Daly wrote:
> > On Wed, Apr 15, 2020 at 12:52:59PM +0200, Lawrence wrote:
> >
> > Hi there,
> >
> >> To start, I am very much a beginner to nginx and coding. I am a
> application support engineer, but got very little development skills.
> >
> > I don't know WordPress; but on the nginx side, what matters is the
> > request that is made (the url, handled in a "location") and the
> way that
> > you want nginx to handle that request.
> >
> > In nginx (in general), one request is handled in one location;
> > only the configuration in, or inherited into, that location
> > matters. Location-matching does not include the request query
> > string. Inheritance is per directive, and is either by replacement or
> > not at all. The "*_pass" directives are not inherited; the others
> are.
> >
> > There are exceptions to this description, but it is probably a good
> > enough starting point to understanding the configuration that is
> needed.
> >
> > The documentation for any directive X can be found from
> > http://nginx.org/r/X
> >
> >> My goal is to have the sites available but the access to all wp
> admin must be limited.
> >> below are a few of the solutions I found. Non seem to work
> fully. I assume it is my understanding of nginx configuration.
> >>
> >> method #1 -- test unsuccessfully.
> >
> > In this case, does "unsuccessful" mean: the php file is not handled
> > when it should be; or the php file is handled when it should not
> be; or
> > something else? In general, it is good to be specific -- what
> request was
> > made, what response was returned, and what response was wanted
> instead.
> >
> >
> > So, with me not knowing WordPress, your mail and some brief web
> searching
> > suggests that you want your nginx to do the following:
> >
> > * allow any access to any request that ends in ".php", except
> > * restrict access to the request /wp-login.php and
> > * restrict access to any php request that starts with /wp-admin/,
> except
> > * allow any access to /wp-admin/admin-ajax.php
> >
> > where "restrict" is to be based on an infrequently-changing list
> of IP
> > addresses or address ranges.
> >
> > And this is in addition to the normal "try_files" config to just get
> > wordpress working.
> >
> > Is that an accurate description of the desired request / response
> > handling mapping?
> >
> > If so, something like (untested):
> >
> > ===
> > include fastcgi.conf; # has fastcgi_param, etc, but not
> fastcgi_pass
> > # Can directly paste the relevant lines here instead
> >
> > location / {
> > try_files $uri $uri/ /index.php?$args;
> > }
> > location ~ \.php$ {
> > location ~ ^/wp-admin/ {
> > allow 192.168.1.0/24;
> > deny all;
> > fastcgi_pass unix:/run/php/php7.0-fpm.sock;
> > }
> > fastcgi_pass unix:/run/php/php7.0-fpm.sock;
> > }
> > location = /wp-login.php {
> > allow 192.168.1.0/24;
> > deny all;
> > fastcgi_pass unix:/run/php/php7.0-fpm.sock;
> > }
> > location = /wp-admin/admin-ajax.php {
> > fastcgi_pass unix:/run/php/php7.0-fpm.sock;
> > }
> > ===
> >
> > looks like it should work. There are other ways to arrange things,
> > and there is repetition here of the "allow" list; it may be
> simpler to
> > maintain that list twice than to use another "include" file.
> >
> > If you are happy to test and report what fails, then it should be
> possible
> > to end up with a suitable config.
> >
> > Good luck with it,
> >
> > f
> >
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200422/6b69051d/attachment-0001.htm>
More information about the nginx
mailing list