How to add conditional pattern matching rules with IP restriction to Nginx? - nginx

I would like to configure a rule such that anything with a pending + will be redirect to a 404 page except for a certain allow IP.
eg.
If IP is 111.111.111.111, http://domain.com/12345+ will be processed (via php block)
Any other condition will return 404 not found
This rule should take precedence before the php block.

location ~ "^/([0-9a-zA-Z]{5})\+$" {
allow 111.111.111.111;
deny all;
try_files $uri $uri/ /index.php.php$is_args$args;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm-www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
The above solution works for me, even though it shows a 403 forbidden instead of giving me 404 not found if coming from an unauthorized IP.
I would appreciate if someone can show me how to display an internal 404 page or even redirect to an external URL when 404 occurs.

Related

Nginx routing issue

Not entirely sure how to ask this but I have also looked all over the web and couldn't find an answer so any help is much appreciated.
I'm trying to set up an API call through my site that uses nginx, if I send the url /api/timestamp/ it works just fine and returns what is intended. However if i add a parameter and send /api/timestamp/2015-08-09 it tries to open the file 2015-08-09 which obviously doesn't exist.
How do I get Nginx to pass the parameter as an argument to my program and not try to use it as a route? Or am I looking at this all wrong?
server {
listen 83 default_server;
server_name portfolio.com;
access_log /var/log/nginx/port.access.log;
error_log /var/log/nginx/port.error.log;
root /var/www/portfolio/;
index index.php;
error_page 404 /404.html;
error_page 405 =200 $uri;
location /api/timestamp/ {
rewrite /api/timestamp/(.*) /api/timestamp/?param=$1 last;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi.conf;
}
}
you need use a rewrite rule, the most simple solution for you is some like this
location /api/timestamp/ {
rewrite /api/timestamp/(.*) /api/timestamp/?param=$1 last;
}
Then you will receive the value in a parameter named param (change it according your requeriments).
Obviously, you can use a regex most restrictive to avoid undesired values .
You can get more information in https://www.nginx.com/blog/creating-nginx-rewrite-rules/.
Regards.

Nginx rewrite to make a "personal URL"

I'd like to be able to make "personal URL" for our users (Facebook like), which is of course a dynamic strings. it needs to be in the root of the site, and that is why I'm having a big headache with it.
The requirements that I have are:
1. I need
www.example.com/John.Doe (it can be a-zA-Z0-9_-.)
and rewrite it to:
www.example.com/profile?id=John.Doe
2. I also need the site scripts to be extension less like (which I was able to do, with the great people here, using "$uri.php$is_args$query_string;"):
so
www.example.com/login
will go to:
www.example.com/login.php
I tried a lot of things, but I just can't get the right formula to make it work.
This is my configuration, right now:
location / {
try_files $uri $uri/ $uri.php$is_args$query_string;
}
location ~ \.php$ {
if ($request_uri ~ ^/([^?]*)\.php(\?.*)?$) {
return 301 /$1$2;
}
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
You have an overlapping namespace for your extension-less scripts and your personal URLs, so you need to test for the presence of the $uri.php file before rewriting it to profile.php.
So rather than rewrite the URI in the first try_files directive (as you have it now), it may be better to use a named location block to process the PHP file without having to rewrite it first.
Like this:
location / {
try_files $uri $uri/ #php;
}
location #php {
try_files $uri.php #rewrite;
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9001;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location #rewrite {
rewrite ^/([a-zA-Z0-9_.-]+)$ /profile.php?id=$1 last;
}
location ~ \.php$ {
if ($request_uri ...) { ... }
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9001;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
The first block serves static files. The second block processes extension-less PHP files (if and only if they exists). The third block performs a rewrite to profile.php (which does not need to be extension-less, as it is not exposed to the client). The fourth block processes normal .php URIs and includes your $request_uri fix.
Note that fastcgi_index is redundant in both this and the original configuration.
For more details, here are some links to the nginx documentation for the location, try_files and rewrite directives.

Different url rewriting according to locations

I really don't find any documentation I find clear about URL rewriting (I can't understand it, as I unexpectedly find the documentation really hard to read for a non-native).
I'm looking for a way to rewrite all routes that matches /*\.(js|png|jpg|css|ttf|xml)$/ toward path/media/ and try existance of file then return it if exists, else 404 not found
then if it begins with /ajax/ redirect all of it toward path/ajax/index.php
else redirect all of it toward path/www/index.php
I don't quite understand how I should do it, for now I created 3 locations /media/, /ajax/ and /www/ but I don't know if it is the right way to use rewrite and not return, or are the locations the correct way to do it.
I don't really understand what I've written in my sites-enabled/file regarding fastcgi. is this a interpretor path ?
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
If I get it right, it means "if it ends with .php, and it exists in hierarchy, then execute it".
And I don't know if I should put that kind of stuff for each location that has to deal with php (/www/ and /ajax/), especially since I'm going to do some routing for both. Moreover, I don't know if it should be done that way.
The simplest PHP configurations use a common root directive which is inherited by the location blocks, and in your case would be:
root path;
This means that /www/index.php and /ajax/index.php are both processed by the location ~ \.php$ block.
The default action can be defined by the try_files directive within a location / block:
location / {
try_files $uri $uri/ /www/index.php;
}
If you need a different default action for URIs which begin with /ajax, add a more specific location:
location /ajax {
try_files $uri $uri/ /ajax/index.php;
}
If you do not want your media URIs to begin with /media you can override the root for one specific location:
location ~* \.(js|png|jpg|css|ttf|xml)$ {
root path/media;
}
The fastcgi_split_path_info and fastcgi_index directives are unnecessary in your specific case. The include fastcgi_params; statement should be placed before any fastcgi_param directive to avoid the latter being inadvertently overridden:
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
See the nginx documentation for details.

Restricting access to files and directories on Nginx by IP

I'm trying to lock down access to WP-admin using IP restrictions on Nginx. The following seems to block wp-admin, but doesn't block wp-login.php
This is a start as it will stop anyone being able to login from any other IP, as after signing in you are redirected to wp-admin which is restricted. However, they can still get to the sign in form and in theory could still be affected by brute force attacks.
server {
listen 80;
server_name website.com www.website.com dev.website.com;
location / {
root /var/www/html/website.com/;
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
root /var/www/html/website.com/;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ ^/(wp-admin|wp-login/.php) {
root /var/www/html/website.com/;
index index.php index.html index.htm;
allow 123.123.123.123/32;
deny all;
}
}
If you fix your context it might fix this issue. Instead of forward slash do a backslash prior to your .php
location ~ ^/(wp-admin|wp-login\.php) {
allow 123.123.123.123/32;
deny all;
}
Not a perfect solution, but I'm now using this:
server {
listen 80;
server_name website.com www.website.com dev.website.com;
root /var/www/html/website.com/;
error_page 403 404 500 502 503 504 = /server_error.php;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$args;
}
location = /wp-login.php {
allow 123.123.123.123/32;
deny all;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
which will keep everyone out, but doesn't mask the fact that wp-admin exists. If someone were to navigate to wp-admin, they're redirected to wp-login.php which is restricted.
Tidied up a bit too.
I know this is a little old, but your answer helped me and I have improved upon it. So for anyone else seeing this issue which I imagine is actually quite common. For me Nginx was only blocking CSS files.
I believe the issue is caused by Nginx first seeing its a php file and therefore dealing with it inside location ~ \.php$ {} before it gets to location ~ ^/(wp-admin|wp-login\.php) {}
So I did this, firstly above location ~ \.php$ {} add:
location = /wp-login.php{
allow 12.345.6.7; #example IP address
deny all;
fastcgi_index index.php;
include fastcgi_params;
}
This will block access to wp-login.php which is great, but like you said it doesnt block wp-admin so just follow up by adding the other block below location ~ \.php$ {}
location ~ ^/(wp-admin|wp-login\.php) {
allow 12.345.6.7 #example IP address
deny all;
}
Now, if your not coming from IP 12.345.6.7 then you can't get access to either wp-admin or wp-login.php
now (2018) Wordpress redirects wp-admin automaticaly to wp-login.
So it's sufficient to only disallow /wp-login.php wit:
location = /wp-login.php {
allow 16.16.12.11
deny all;
}
Just put it after the default "location `.php$" block

Short-circuit logic in Nginx conf (would like to override a location)

I have mediawiki installed. All is right in the world except for when I try to alias a external directory (webalizer web stats). I see that Nginx passes off the request to /usage/* to PHP/Mediawiki. I don't want that. I literally want everything under /usage/ to point to my alias and nothing else. Completely separate from Mediawiki code and functionality.
# in no way related to Mediawiki. I just want to serve this as static HTML.
location /usage {
alias /var/www/webalizer/wiki.longnow.org/;
}
# This answers to anything, which may be my problem
location / {
try_files $uri $uri/ #rewrite;
index index.php;
}
# A special rewrite to play nicely with Mediawiki
location #rewrite {
rewrite ^/(.*)$ /index.php?title=$1&$args;
}
# PHP, nom nom nom
location ~ \.php$ {
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass unix:/tmp/php-fastcgi.socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
I was hoping that listing the /usage location directive ahead of the rest would short-circuit the system, but I have been spoiled by Django ;)
To stop Nginx from processing further location directives, it should be prefixed by ^~.
I think you will still want a try_files falling back to a 404 response inside the location.
location ^~ /usage {
alias /var/www/webalizer/wiki.longnow.org/;
try_files $uri $uri/ =404;
}
See http://wiki.nginx.org/HttpCoreModule#location for reference.

Resources