0

I have installed WordPress on a LEMP stack in Ubuntu in Digital Ocean.

When I use the Droplet IP address to access it, it shows the default nginx welcome page; but when I use its URL, it shows the actual WordPress site that is installed on the site.

  1. What might be the issue?
  2. What is the best practice in terms of security?

Here's my nginx configuration:

# Redirect HTTP -> HTTPS
server {
    listen 80;
    server_name www.mysite.in mysite.in;

    include snippets/letsencrypt.conf;
    return 301 https://mysite.in$request_uri;
}

# Redirect WWW -> NON WWW
server {
    listen 443 ssl http2;
    server_name www.mysite.in;

    ssl_certificate /etc/letsencrypt/live/mysite.in/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mysite.in/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/mysite.in/chain.pem;
    include snippets/ssl.conf;

    return 301 https://mysite.in$request_uri;
}

server {
    listen 443 ssl http2;
    server_name mysite.in;

    root /var/www/html/mysite.in;
    index index.php;

    # SSL parameters
    ssl_certificate /etc/letsencrypt/live/mysite.in/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mysite.in/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/mysite.in/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # log files
    access_log /var/log/nginx/mysite.in.access.log;
    error_log /var/log/nginx/mysite.in.error.log;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
        expires max;
        log_not_found off;
    }

}
mforsetti
  • 2,666
  • 2
  • 16
  • 20
Praveen
  • 1
  • 2
  • Be aware that allowing your WP site to be accessed by IP only invites thousands of ever present bots and script kiddies that only scan by IP. On my sites I drop IP only queries and don't log them on default server. No legitimate user should be looking for your WP site by IP only. – Peleion May 04 '20 at 17:40
  • I dont want to allow site to be accessed by IP.......I am just wondering whats the best practice...... should I leave the Nginx default welcome page available to show up when someone access the IP – Praveen May 04 '20 at 17:58

2 Answers2

0

When you don't specify a host, your Nginx has to serve the default server configuration. Those you have shown all have a servername.

Gerard H. Pille
  • 2,569
  • 1
  • 13
  • 11
  • Is it ok to allow the Nginx default page be available on IP Address – Praveen May 04 '20 at 18:00
  • It depends on how paranoid you are, some think it is dangerous to inform the evildoers of what server you are running. But when one is running WP, one probably has other worries. – Gerard H. Pille May 04 '20 at 18:32
0

In your configuration for nginx, you are using server name as mysite.in. So when you access it with URL(mysite.in) you got it working but not with IP address. Because nginx is expecting server name as url only.

If you want to access it from both URL and IP address you can use underscore as server name.

server_name _;

Rahul Garg
  • 11
  • 1
  • I am just trying to understand what is the best practice....in in-terms of security and seo – Praveen May 04 '20 at 17:59
  • You can add server_tokens off; in your http block to hide the version of nginx. When access through ip address. Then again as @gerard h pille said it depends on you from security point of view. – Rahul Garg May 05 '20 at 01:36