Hi,

I've googled this to death and can't find any solution...

I have a fairly standard wordpress setup under nginx and I would like to restrict the wp-admin pages to localhost.

Here is what my config looks like:

server {
server_name example.com;
root /var/www/example.com;

index index.php index.html index.htm;

# Deny access to any files with a .php extension in the uploads directory
location ~* ^/wp-content/uploads/.*.php$ {
deny all;
}

location / {
try_files $uri $uri/ index.php?q=$uri&$args;
}

location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/www/php.sock;
}

location /wp-admin {
allow 127.0.0.0/8;
deny all;
}
}

This config restricts http://example.com/wp-admin but not http://example.com/wp-admin/index.php (or any other .php file) since "location \.php$" is specified before "location /wp-admin".
If I specify "location /wp-admin" on top, the restriction works for php files, but if connect from an authorised IP (localhost in that example), the php source files are just downloaded as plain text. This is normal since the .php handler is specified after...

So is there a solution to restrict wp-admin and still correctly process php files for authorised users in that location?

Thanks

-- calimero

I have this exact same issue... My config below:

server {
listen 80;
server_name mysite.com www.mysite.com;
root /opt/nginx/www.mysite.com/public_html;
index index.php;

location / {
# This is cool because no php is touched for static content
try_files $uri $uri/ /index.php?$args;
}

location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}

#charset koi8-r;
access_log /var/log/nginx/www.mysite.com_80.access.log main;
error_log /var/log/nginx/www.mysite.com_80.error.log;

# redirect server error pages to the static page /50x.html
error_page 403 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}

location /wp-admin {
allow mysubnet/24; (I have my real subnet here)
deny all;
}

# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ \.php$ {
try_files $uri =404;

fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_pass php;
}

}

I figured it out... I read through the location directive manual 100 times and finally came to a working fix... See updated config below:


server {
listen 80;
server_name mysite.com www.mysite.com;
root /opt/nginx/www.mysite.com/public_html;
index index.php;

location / {
# This is cool because no php is touched for static content
try_files $uri $uri/ /index.php?$args;
}

location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}

#charset koi8-r;
access_log /var/log/nginx/www.mysite.com_80.access.log main;
error_log /var/log/nginx/www.mysite.com_80.error.log;

# redirect server error pages to the static page /50x.html
error_page 403 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}

# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ ^/(wp-admin|wp-login\.php$) {
allow mysubnet/24; (I have my real subnet here)
deny all;
try_files $uri =404;

fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_pass php;
}

# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ \.php$ {
try_files $uri =404;

fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_pass php;
}

}




The key was adding the additional regular expressions location "^/(wp-admin|wp-login\.php$)" ABOVE "\.php$"

The location directive uses the first regular expression match found. That means if your url is "/wp-admin/index.php" it matches both of the regular expressions "^/(wp-admin|wp-login\.php$)" and "\.php$", therefore it will use the first one declared.

Cheers


P.S. I don't want access to wp-admin or wp-login.php, that's why my expression is like that. you may want your regular expression to simply be "^/wp-admin"

There is also a nicer way with nesting locations:

Assuming you have this file that will be used in includes for the site config: /etc/nginx/fastcgi_php:

location ~ \.php$ {
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
try_files $uri =404;

include /etc/nginx/fastcgi_params;

fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/www/php.sock;
}


Then in the site config specify the root location like this:

location / {
# try_files: if $uri or $uri/ doesn't exist, redirect to /index.php with specified parameters
try_files $uri $uri/ /index.php?q=$uri&$args;

# sublocation for anything that matches admin or login pages
location ~ ^/(wp-admin|wp-login\.php) {
allow 127.0.0.0/8;
# change 127.0.0.0/8 to any subnet you want to give admin access to
deny all;
# include sub-sublocation to handle php files, only allowed IPs can get there
include /etc/nginx/fastcgi_php;
}

# include sublocation to handle php files
include /etc/nginx/fastcgi_php;
}

hi it is the solution for this question either you call jail wp-admin and wp-login php or any kind of php in wp-admin will not be allowed

location /wp-admin {
allow 1.1.1.1; #your home static ip address
deny all;
error_page 403 = @goawaywpadmin;
}
location @goawaywpadmin {
return 404;
}

location ~ ^/(wp-login.php) {
allow 1.1.1.1; #your home static ip address
deny all;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /home/aussie/www$fastcgi_script_name;
include fastcgi_params;
error_page 403 = @goaway;
}
location @goaway {
return 404;
}



Edited 1 time(s). Last edit at 03/23/2013 10:15PM by lifeisjustabout.