• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

nginx - Restrict access to admin.php by IP

Robust

Well-known member
#1
Can I have an example? Tried a few ways I found on the forum but they all resulted in a 403 Forbidden. If someone can give me an example on doing this it'd be much appreciated. Just want to limit admin.php* to my home IP, using nginx and php-fpm for php.
 

Mouth

Well-known member
#2
Code:
       location = /admin.php {
                allow <your ip address>;
                deny all;
                auth_basic                      "Restricted Access";
                auth_basic_user_file            <your htpasswd file>;
                try_files                       $uri =404;
                fastcgi_split_path_info         ^(.+\.php)(/.+)$;
                fastcgi_pass                    unix:/run/php5-fpm.sock;
                include                         fastcgi_params;
        }
Remove the x2 auth_basic lines if you don't want username/password prompting too
 

Robust

Well-known member
#3
@Mouth Thank you, it's kinda like what I tried before. I've tried with deny all; it's denying like it should. I've added my IP above it like in the example and it's still giving me 403 forbidden by the nginx server. Here is a config, with example.com substituting my website URL:

Code:
#Forum

server {
    listen 80;
    server_name forum.example.com;
    access_log /var/www/example.com/forum/access.log;
    error_log /var/www/example.com/forum/error.log;
 
    location / {
        root /var/www/forum.example.com/public_html;
        index index.php index.html;
    try_files $uri $uri/ /index.php?$uri&$args;
    }

       location = /admin.php {
                allow xx.xx.xxx.xxx;
                deny all;
                try_files                       $uri =404;
                fastcgi_split_path_info         ^(.+\.php)(/.+)$;
                fastcgi_pass                    unix:/run/php5-fpm.sock;
                include                         fastcgi_params;
        }

location /internal_data/ {
    internal;
}

location /library/ {
    internal;
}

    # pass the PHP scripts to FastCGI
    # server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        root /var/www/forum.example.com/public_html;
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}
xx.xx.xxx.xxx is my external IP.

Any ideas?

To add, I'm using nginx on CentOS 6. That configuration file is virtual.conf
 

SneakyDave

Well-known member
#4
Dumb question, are you restarting nginx after making the change?

And normally, I think I've seen the Deny All first, then the Allow, but that's how Mouth has it above, so that must be correct.
 

Robust

Well-known member
#5
Dumb question, are you restarting nginx after making the change?

And normally, I think I've seen the Deny All first, then the Allow, but that's how Mouth has it above, so that must be correct.
Yup, I am. And it makes sense to allow an IP before denying them all (just off how it works in iptables and the general thought).

And technically I'm reloading nginx, does the job.
 

SneakyDave

Well-known member
#6
Yeah, sorry couldn't be of any help. I was thinking of Apache htaccess with
Code:
order deny,allow
deny from all
allow from 111.222.333.444
 

Mouth

Well-known member
#7
Firstly, make sure you change the 'fastcgi_pass' on the location block I gave you to match yours ("fastcgi_pass 127.0.0.1:9000;") further down as you are using TCPIP and not socket

The 403 will be because of some file/dir permission nginx doesn't like.
From the '/var/www/forum.example.com/' do a 'chown -R www-data:www-data public_html', where www-data = the user you have nginx runnign under (I'm not sure what it is for CentOS). Restart nginx and see if that resolves the 403. If not, then do a 'chmod -R 755 public_html' and restart nginx.
 

Robust

Well-known member
#9
Firstly, make sure you change the 'fastcgi_pass' on the location block I gave you to match yours ("fastcgi_pass 127.0.0.1:9000;") further down as you are using TCPIP and not socket

The 403 will be because of some file/dir permission nginx doesn't like.
From the '/var/www/forum.example.com/' do a 'chown -R www-data:www-data public_html', where www-data = the user you have nginx runnign under (I'm not sure what it is for CentOS). Restart nginx and see if that resolves the 403. If not, then do a 'chmod -R 755 public_html' and restart nginx.
I get a 403 when it's doing deny all. I'm only getting the 403 with the admin.php restrict thing. I'll change the fastcgi pass. It's owned by the user nginx, which is the user for the website, and isn't chmod 755 bad?
 

MattW

Well-known member
#11
This is all I do (centminmod build)

Code:
        location /admin.php {
                allow IP1;
                allow IP2;
                deny all;
                include /usr/local/nginx/conf/staticfiles.conf;
                include /usr/local/nginx/conf/php.conf;
        }