0

I am trying to block PHP script execution in few folders for a WordPress installation but Nginx is giving me hard time.

location = /wp/wp-includes/category.php {
    deny all;
}

I am able to block individual script using exact match but when I use regex it doesn't work.

location ~* /wp/wp-includes/.*\.php$ {
    deny all;
}

I am not sure what am I doing wrong?

EDIT

I have following rules after above rules:

location / {
    error_page 418 = @cachemiss;
    # To allow POST on static pages. Will search with me error
    error_page  405 =200 $uri;
    recursive_error_pages on;

    # bypass cache for common query strings
  if ($arg_s != "") { return 418; } # search query
  if ($arg_p != "") { return 418; } # request a post / page by ID
  if ($arg_amp != "") { return 418; } # amp test
  if ($arg_preview = "true") { return 418; } # preview post / page

  if ($http_cookie ~* "(wordpress_logged_in_|wp\-postpass_|woocommerce_items_in_cart|woocommerce_cart_hash|wptouch_switch_toogle|comment_author_|comment_author_email_)") {
    return 418;
  }
  # by pass caching for post requests
  if ($request_method = POST ) {
    return 418;
  }

  if (!-f "$rocket_file") {
    return 418;
  }

  etag on;
  try_files "$rocket_url" $uri $uri/ /index.php$is_args$args;
}


location @cachemiss {
  try_files $uri $uri/ /index.php$is_args$args;
}
Maximus
  • 345
  • 1
  • 3
  • 7
  • Please show output of `nginx -T` so we can see the full nginx configuration. – Tero Kilkanen Jan 28 '22 at 16:26
  • @Maximus Regex matching locations are checked from first to last. The first matched location is selected to process the request. Having that location __after__ the usual `location ~ \.php$ { ... }` PHP handler will make it unreachable - you need to place it __before__ the default PHP handler. On the other hand exact matching locations (`location = { ... }`) have greater priority over any other locations type, so your first location will work no matter where it will be placed. – Ivan Shatsky Jan 29 '22 at 12:03
  • @IvanShatsky I have this location at the top of the file and then wordpress rewrite rule. – Maximus Feb 03 '22 at 01:27
  • @Maximus What do you mean by "wordpress rewrite rule"? – Ivan Shatsky Feb 03 '22 at 01:31
  • @IvanShatsky I just updated my question. Thank your for the help. – Maximus Feb 03 '22 at 01:47
  • @Maximus I don't see anything that could be the cause, but I don't see either the PHP handler (usually `location ~ \.php$ { ... }` or something similar). Are you sure it is located below the given configuration fragment, not above it? – Ivan Shatsky Feb 03 '22 at 02:06

0 Answers0