NGINX : Unable to whitelist list of IPs on phpmyadmin route - nginx

I have a website running in production and I need to disable the route phpmyadmin and allow a list of IPs only.
Issue: The following is denying all the IPs including the ones which are allowed.
file: /etc/nginx/sites-available/default
location /phpmyadmin {
allow X.X.X.X;
allow Y.Y.Y.Y;
allow Z.Z.Z.Z;
deny all;
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
I need to fix this to allow 3-4 IPs only on this route. Please help. I am not sure what I am doing wrong here.

Related

nginx Restrict or Redirect requests to go through index.php in the root

My project requirement is to launch an angular(v6)/ionic(v4) app(index.html) from Slim framework (index.php).
The root folder structure is attached in the image below:
'www' is the root directory where the Slim index.php lies. Inside 'www' is the app folder where the angular build files(index.php) are added.
The requirement is that all the requests should go through Slim index.php in the root folder and based on some session logic we have to route or launch the angular app (index.html).
Right now, 'https://domain/' goes through index.php. But,
'https://domain/app/' directly launches the angular app (index.html).
How can I configure nginx so that all requests are to be handled in the root directory by Slim index.php ?
server {
server_name <domain>;
root /var/www/<some name>/public/www/;
index index.php index.html index.htm;
access_log /var/log/nginx/<some name>.log;
error_log /var/log/nginx/<some name>.log;
sendfile off;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ index.php /index.php?$args;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_read_timeout 36000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
Thanks
you can restrict access to your app directory like so
location /app {
deny all;
return 404; #show not found instead of 403
}
Or you can override the 403 handling by sending a redirect to https://example.com/
location /app{
deny all;
error_page 403 https:/domain.com/; #redirect to your main directory
}

Wordpress and NGINX /wp-admin redirect loop

My nginx.conf has a server blog containing this:
location ~ \.php$ {
root /var/www/html/blog;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location /blog {
root /var/www/html/blog;
include /etc/nginx/mime.types;
try_files $uri $uri/ /index.php?q=$uri&$args;
}
But with these settings when I try to access /blog/wp-admin my browser gets stuck in some redirect loop.
If I change the root URLs in nginx.conf to /var/www/html, /blog/wp-admin works, but my post permalinks give me a 404 error.
My WP files are located in /var/www/html/blog. I have 'SSL Insecure Content Fixer' plugin installed because my images giving a mixed content error on my site, which has a Cloudflare page rule to always use SSL.
My WP address and WP home are both set to http://xxx/blog.
Anybody fixed something similar?
Thanks
I think that the main problem is an inconsistency with your root directive. Your PHP configuration has WordPress in /var/www/html/blog whereas your static configuration has WordPress in /var/www/html/blog/blog.
Assuming that WordPress is installed in the root of /var/www/html/blog and that the URIs should be prefixed with /blog/ for both real files and permalinks, the correct URI for the entry point should be /blog/index.php.
The nginx.conf file should probably be:
root /var/www/html;
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi_params;
}
location /blog {
include /etc/nginx/mime.types;
try_files $uri $uri/ /blog/index.php;
}
If you have a conflicting root directive within the outer server container, the above root directive could be placed inside the two location blocks unmodified.
I would try /blog/index.php rather than /blog/index.php?q=$uri&$args as the last element of try_files because in my experience, WordPress uses the REQUEST_URI parameter to route permalinks rather than the q argument as you have implied, but YMMV.
If you do have other applications in this servers root and would like to segregate the WordPress root more completely, you might nest the PHP location block like this:
location ^~ /blog {
root /var/www/html;
include /etc/nginx/mime.types;
try_files $uri $uri/ /blog/index.php;
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi_params;
}
}

Laravel and WordPress integration routing using nginx

I am developing web app in Laravel 5.2. I have existing WordPress site. So, I want to integrate Laravel with WordPress. WordPress app has static pages. I have two separate directories for Laravel and WordPress in my root directory.
laraApp
wpApp
I want to make wpApp as default app. So when user clicks login button, user will be redirected to laraApp. I want wpApp at www.example.com and laraApp in www.example.com/laraApp. I have nginx web server running. So what should be my nginx config file?
Current nginx config file is :
server {
listen 80;
root /var/www/root/wpApp;
index index.php index.html index.htm;
server_name www.example.com;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# rewrite rules for laravel routes
location /laraApp {
rewrite ^/laraApp/(.*)$ /laraApp/public/index.php?$1 last;
}
location ~ \.php$ {
try_files $uri /index.php =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
Here my Laravel app is accessible using url www.example.com/laraApp/public/
I want to access it using www.example.com/laraApp.
Thanks.
The configuration would be simpler if the base URI for each of the applications did not overlap. But given the constraints of your question, you must use two distinct document roots for the PHP section of each of the applications in your configuration.
As you have placed one of your applications in /, the other application is kept separate by the use of nested location blocks. Notice the use of the ^~ modifier to prevent the first PHP block from processing Laravel requests.
index index.php index.html index.htm;
root /var/www/root/wpApp;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
try_files $uri /index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ^~ /laraApp {
rewrite ^/laraApp(.*)$ /laraApp/public$1 last;
}
location ^~ /laraApp/public {
root /var/www/root;
try_files $uri $uri/ /laraApp/public/index.php?$query_string;
location ~ \.php$ {
try_files $uri /laraApp/public/index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
}
I am away from my test system at the moment so the above has not been syntax checked or tested.

Restricting access to files and directories on Nginx by IP

I'm trying to lock down access to WP-admin using IP restrictions on Nginx. The following seems to block wp-admin, but doesn't block wp-login.php
This is a start as it will stop anyone being able to login from any other IP, as after signing in you are redirected to wp-admin which is restricted. However, they can still get to the sign in form and in theory could still be affected by brute force attacks.
server {
listen 80;
server_name website.com www.website.com dev.website.com;
location / {
root /var/www/html/website.com/;
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
root /var/www/html/website.com/;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ ^/(wp-admin|wp-login/.php) {
root /var/www/html/website.com/;
index index.php index.html index.htm;
allow 123.123.123.123/32;
deny all;
}
}
If you fix your context it might fix this issue. Instead of forward slash do a backslash prior to your .php
location ~ ^/(wp-admin|wp-login\.php) {
allow 123.123.123.123/32;
deny all;
}
Not a perfect solution, but I'm now using this:
server {
listen 80;
server_name website.com www.website.com dev.website.com;
root /var/www/html/website.com/;
error_page 403 404 500 502 503 504 = /server_error.php;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$args;
}
location = /wp-login.php {
allow 123.123.123.123/32;
deny all;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
which will keep everyone out, but doesn't mask the fact that wp-admin exists. If someone were to navigate to wp-admin, they're redirected to wp-login.php which is restricted.
Tidied up a bit too.
I know this is a little old, but your answer helped me and I have improved upon it. So for anyone else seeing this issue which I imagine is actually quite common. For me Nginx was only blocking CSS files.
I believe the issue is caused by Nginx first seeing its a php file and therefore dealing with it inside location ~ \.php$ {} before it gets to location ~ ^/(wp-admin|wp-login\.php) {}
So I did this, firstly above location ~ \.php$ {} add:
location = /wp-login.php{
allow 12.345.6.7; #example IP address
deny all;
fastcgi_index index.php;
include fastcgi_params;
}
This will block access to wp-login.php which is great, but like you said it doesnt block wp-admin so just follow up by adding the other block below location ~ \.php$ {}
location ~ ^/(wp-admin|wp-login\.php) {
allow 12.345.6.7 #example IP address
deny all;
}
Now, if your not coming from IP 12.345.6.7 then you can't get access to either wp-admin or wp-login.php
now (2018) Wordpress redirects wp-admin automaticaly to wp-login.
So it's sufficient to only disallow /wp-login.php wit:
location = /wp-login.php {
allow 16.16.12.11
deny all;
}
Just put it after the default "location `.php$" block

nagis cache remote website

i had installe nginx on my local machine,
my problem is i would like to do a cache for my website .
help to configure nginx
this my configuration
server
{
server_name .mywebsite.com;
access_log /var/log/nginx/example.com.access.log;
error_log /var/log/nginx/example.com.error.log;
root /var/www/example.com/html;
index index.php index.html index.htm;
# use fastcgi for all php files
location ~ \.php$
{
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# deny access to apache .htaccess files
location ~ /\.ht
{
deny all;
}
}
but i dosen't had any static content on my local machine
help please best regards

Resources