nginx - Restrict access to admin.php by IP
- Thread starter Robust
- Start date
Mouth
Well-known member
Code:
location = /admin.php {
allow <your ip address>;
deny all;
auth_basic "Restricted Access";
auth_basic_user_file <your htpasswd file>;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php5-fpm.sock;
include fastcgi_params;
}Remove the x2 auth_basic lines if you don't want username/password prompting too
Robust
Well-known member
@Mouth Thank you, it's kinda like what I tried before. I've tried with deny all; it's denying like it should. I've added my IP above it like in the example and it's still giving me 403 forbidden by the nginx server. Here is a config, with example.com substituting my website URL:
xx.xx.xxx.xxx is my external IP.
Any ideas?
To add, I'm using nginx on CentOS 6. That configuration file is virtual.conf
Code:
#Forum
server {
listen 80;
server_name forum.example.com;
access_log /var/www/example.com/forum/access.log;
error_log /var/www/example.com/forum/error.log;
location / {
root /var/www/forum.example.com/public_html;
index index.php index.html;
try_files $uri $uri/ /index.php?$uri&$args;
}
location = /admin.php {
allow xx.xx.xxx.xxx;
deny all;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php5-fpm.sock;
include fastcgi_params;
}
location /internal_data/ {
internal;
}
location /library/ {
internal;
}
# pass the PHP scripts to FastCGI
# server listening on 127.0.0.1:9000
#
location ~ \.php$ {
root /var/www/forum.example.com/public_html;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}xx.xx.xxx.xxx is my external IP.
Any ideas?
To add, I'm using nginx on CentOS 6. That configuration file is virtual.conf
SneakyDave
Well-known member
Dumb question, are you restarting nginx after making the change?
And normally, I think I've seen the Deny All first, then the Allow, but that's how Mouth has it above, so that must be correct.
And normally, I think I've seen the Deny All first, then the Allow, but that's how Mouth has it above, so that must be correct.
Robust
Well-known member
Yup, I am. And it makes sense to allow an IP before denying them all (just off how it works in iptables and the general thought).
And technically I'm reloading nginx, does the job.
SneakyDave
Well-known member
Yeah, sorry couldn't be of any help. I was thinking of Apache htaccess with
Code:
order deny,allow
deny from all
allow from 111.222.333.444Mouth
Well-known member
Firstly, make sure you change the 'fastcgi_pass' on the location block I gave you to match yours ("fastcgi_pass 127.0.0.1:9000;") further down as you are using TCPIP and not socket
The 403 will be because of some file/dir permission nginx doesn't like.
From the '/var/www/forum.example.com/' do a 'chown -R www-data:www-data public_html', where www-data = the user you have nginx runnign under (I'm not sure what it is for CentOS). Restart nginx and see if that resolves the 403. If not, then do a 'chmod -R 755 public_html' and restart nginx.
Mouth
Well-known member
Yes, nginx requires any 'deny all' to be last.
Robust
Well-known member
I get a 403 when it's doing deny all. I'm only getting the 403 with the admin.php restrict thing. I'll change the fastcgi pass. It's owned by the user nginx, which is the user for the website, and isn't chmod 755 bad?
p4guru
Well-known member
maybe silly question but sure you have your home ip correct ? check at http://ip-lookup.net
Robust
Well-known member
I do.
I was stupid enough to forget I use CloudFlare. Accepting IP header things via nginx now.
SneakyDave
Well-known member
Ah.. I use the same setup. Didn't even think of that
Similar threads
- Question
