How to Protect admin login with NGiNX by IPs

Maks · September 12, 2024, 1:00pm

I have been trying to deny all and allow IP only for location: /admin
But It not working, please any help.
where should I add the rule for admin.

location /admin {
		allow 15.235.0.1;
		allow 15.235.0.1;
		deny all;
		error_page 404 = /404.php;
		try_files $uri $uri/ =404;
		
		location ~ \.php$ {
				deny all;
		}
}

My config Files:

nginx.ssl.conf:

server {
        listen      %ip%:%web_ssl_port% ssl;
        server_name %domain_idn% %alias_idn%;
        root        %sdocroot%;
        index       index.php index.html index.htm;
        access_log  /var/log/nginx/domains/%domain%.log combined;
        access_log  /var/log/nginx/domains/%domain%.bytes bytes;
        error_log   /var/log/nginx/domains/%domain%.error.log error;

        ssl_certificate     %ssl_pem%;
        ssl_certificate_key %ssl_key%;
        ssl_stapling        on;
        ssl_stapling_verify on;

        # TLS 1.3 0-RTT anti-replay
        if ($anti_replay = 307) { return 307 https://$host$request_uri; }
        if ($anti_replay = 425) { return 425; }

        include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;

        location = /favicon.ico {
                log_not_found off;
                access_log off;
        }

        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }

        location ~ /\.(?!well-known\/) {
                deny all;
                return 404;
        }

        location / {
                location ~* ^.+\.(jpeg|jpg|png|webp|gif|bmp|ico|svg|css|js)$ {
                        expires 3d;
                        fastcgi_hide_header "Set-Cookie";
                }


                location ~ [^/]\.php(/|$) {
                        try_files $uri =404;

                        include /etc/nginx/fastcgi_params;

                        fastcgi_index index.php;
                        fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

                        fastcgi_pass %backend_lsnr%;

                        include %home%/%user%/conf/web/%domain%/nginx.fastcgi_cache.conf*;

                        if ($request_uri ~* "/admin/|index.php") {
                                set $no_cache 1;
                        }
                }
        }

        location /error/ {
                alias %home%/%user%/web/%domain%/document_errors/;
        }

        location /vstats/ {
                alias   %home%/%user%/web/%domain%/stats/;
                include %home%/%user%/web/%domain%/stats/auth.conf*;
        }

        proxy_hide_header Upgrade;

        include /etc/nginx/conf.d/phpmyadmin.inc*;
        include /etc/nginx/conf.d/phppgadmin.inc*;
        include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}

/home/user/conf/web/domain.com/nginx.conf_rewrite

location ~* /contents/.*\.php$ {
    internal;
}
location /admin/data/ {
    internal;
}
location /admin/logs/ {
    internal;
}
location /admin/plugins/ {
    internal;
}
location /admin/smarty/ {
    internal;
}
location /admin/stamp/ {
    internal;
}
location /admin/template/ {
    internal;
}
location /admin/tools/ {
    internal;
}
location /blocks/ {
    internal;
}
location /template/ {
    internal;
}
location /tmp/ {
    internal;
}
location /langs/ {
    internal;
}

# admin panel rewrites
rewrite ^/admin/posts_for_(.*)\.php$                                     /admin/posts_for_types.php?post_type_external_id=$1 last;
rewrite ^/admin/feeds/(.*)/$                                             /admin/feeds/get_feed.php?external_id=$1 last;
rewrite ^/admin/api/.php$               /admin/api/api.php last;
rewrite ^/admin/billings/([^/]*)\.php$  /admin/billings/$1/$1.php last;

Maks · September 16, 2024, 11:28am

hello,

sahsanu · September 16, 2024, 11:34am

You could add it to the conf file you already created:

/home/user/conf/web/domain.com/nginx.conf_rewrite

But you must create the same file for ssl:

ln -sr /home/user/conf/web/domain.com/nginx.conf_rewrite /home/user/conf/web/domain.com/nginx.ssl.conf_rewrite

Maks · September 16, 2024, 12:33pm

I added at top of files nginx.ssl.conf_rewrite and nginx.conf_rewrite.

after add the page /admin/index.php become downloable, not working in browser,

location /admin {
    allow 15.235.0.1;
    deny all;
    error_page 404 = /404.php;
    try_files $uri =404;
    location ~ \.php$ {
    deny all;
    }
}
location ~* /contents/.*\.php$ {
    internal;
}
location /admin/data/ {
    internal;
}
location /admin/logs/ {
    internal;
}
location /admin/plugins/ {
    internal;
}
location /admin/smarty/ {
    internal;
}
location /admin/stamp/ {
    internal;
}
location /admin/template/ {
    internal;
}
location /admin/tools/ {
    internal;
}
location /blocks/ {
    internal;
}
location /template/ {
    internal;
}
location /tmp/ {
    internal;
}
location /langs/ {
    internal;
}

eris · September 16, 2024, 12:42pm

You should probally just deny access to It . PHP-FPM ignores it anyway

Maks · September 16, 2024, 1:19pm

I simply remove it, now file looks example, but getting “access forbidden by rule” 403 Forbidden

location /admin {
    allow 15.235.0.1;
    deny all;
    error_page 404 = /404.php;

    try_files $uri /admin/index.php;

    location ~ \.php$ {
    deny all;
    }
}
location /admin/data/ {
    internal;
}
location /admin/logs/ {
    internal;
}
location /admin/plugins/ {
    internal;
}
location /admin/smarty/ {
    internal;
}
location /admin/stamp/ {
    internal;
}
location /admin/template/ {
    internal;
}
location /admin/tools/ {
    internal;
}
location /blocks/ {
    internal;
}
location /template/ {
    internal;
}
location /tmp/ {
    internal;
}
location /langs/ {
    internal;
}