1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

nginx - Restrict access to admin.php by IP

Discussion in 'Server Configuration and Hosting' started by Robust, Mar 19, 2014.

  1. Robust

    Robust Well-Known Member

    Can I have an example? Tried a few ways I found on the forum but they all resulted in a 403 Forbidden. If someone can give me an example on doing this it'd be much appreciated. Just want to limit admin.php* to my home IP, using nginx and php-fpm for php.
     
  2. Mouth

    Mouth Well-Known Member

    Code:
           location = /admin.php {
                    allow <your ip address>;
                    deny all;
                    auth_basic                      "Restricted Access";
                    auth_basic_user_file            <your htpasswd file>;
                    try_files                       $uri =404;
                    fastcgi_split_path_info         ^(.+\.php)(/.+)$;
                    fastcgi_pass                    unix:/run/php5-fpm.sock;
                    include                         fastcgi_params;
            }
    Remove the x2 auth_basic lines if you don't want username/password prompting too
     
  3. Robust

    Robust Well-Known Member

    @Mouth Thank you, it's kinda like what I tried before. I've tried with deny all; it's denying like it should. I've added my IP above it like in the example and it's still giving me 403 forbidden by the nginx server. Here is a config, with example.com substituting my website URL:

    Code:
    #Forum
    
    server {
        listen 80;
        server_name forum.example.com;
        access_log /var/www/example.com/forum/access.log;
        error_log /var/www/example.com/forum/error.log;
     
        location / {
            root /var/www/forum.example.com/public_html;
            index index.php index.html;
        try_files $uri $uri/ /index.php?$uri&$args;
        }
    
           location = /admin.php {
                    allow xx.xx.xxx.xxx;
                    deny all;
                    try_files                       $uri =404;
                    fastcgi_split_path_info         ^(.+\.php)(/.+)$;
                    fastcgi_pass                    unix:/run/php5-fpm.sock;
                    include                         fastcgi_params;
            }
    
    location /internal_data/ {
        internal;
    }
    
    location /library/ {
        internal;
    }
    
        # pass the PHP scripts to FastCGI
        # server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
            root /var/www/forum.example.com/public_html;
            try_files $uri =404;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
        }
    }
    xx.xx.xxx.xxx is my external IP.

    Any ideas?

    To add, I'm using nginx on CentOS 6. That configuration file is virtual.conf
     
  4. SneakyDave

    SneakyDave Well-Known Member

    Dumb question, are you restarting nginx after making the change?

    And normally, I think I've seen the Deny All first, then the Allow, but that's how Mouth has it above, so that must be correct.
     
  5. Robust

    Robust Well-Known Member

    Yup, I am. And it makes sense to allow an IP before denying them all (just off how it works in iptables and the general thought).

    And technically I'm reloading nginx, does the job.
     
    SneakyDave likes this.
  6. SneakyDave

    SneakyDave Well-Known Member

    Yeah, sorry couldn't be of any help. I was thinking of Apache htaccess with
    Code:
    order deny,allow
    deny from all
    allow from 111.222.333.444
    
     
  7. Mouth

    Mouth Well-Known Member

    Firstly, make sure you change the 'fastcgi_pass' on the location block I gave you to match yours ("fastcgi_pass 127.0.0.1:9000;") further down as you are using TCPIP and not socket

    The 403 will be because of some file/dir permission nginx doesn't like.
    From the '/var/www/forum.example.com/' do a 'chown -R www-data:www-data public_html', where www-data = the user you have nginx runnign under (I'm not sure what it is for CentOS). Restart nginx and see if that resolves the 403. If not, then do a 'chmod -R 755 public_html' and restart nginx.
     
  8. Mouth

    Mouth Well-Known Member

    Yes, nginx requires any 'deny all' to be last.
     
  9. Robust

    Robust Well-Known Member

    I get a 403 when it's doing deny all. I'm only getting the 403 with the admin.php restrict thing. I'll change the fastcgi pass. It's owned by the user nginx, which is the user for the website, and isn't chmod 755 bad?
     
  10. Robust

    Robust Well-Known Member

    403 Forbidden
    nginx/1.0.15

    Did it all except chmod 755. I'm sure it isn't that as admin.php works without that.
     
  11. MattW

    MattW Well-Known Member

    This is all I do (centminmod build)

    Code:
            location /admin.php {
                    allow IP1;
                    allow IP2;
                    deny all;
                    include /usr/local/nginx/conf/staticfiles.conf;
                    include /usr/local/nginx/conf/php.conf;
            }
     
    RoldanLT likes this.
  12. p4guru

    p4guru Well-Known Member

  13. Robust

    Robust Well-Known Member

    I do.

    I was stupid enough to forget I use CloudFlare. Accepting IP header things via nginx now.
     
    SneakyDave and MattW like this.
  14. SneakyDave

    SneakyDave Well-Known Member

    Ah.. I use the same setup. Didn't even think of that
     

Share This Page