1

I simply want to allow my static ip & ipv6 to have access to folder and its content and deny to all here is the config I have.

location ~ /(wp-admin\/|wp-login\.php) {
    allow 72.1.1.1;
    allow 2400:abcd:1234:1234:1234:1234:1234:ba4b;

    deny all;
}

If I remove the ipv6 line its works fine and return 403 forbidden on folder and files. But with ipv6 it starts downloading every url I hit valid or not. Error: You have choose to open - application/octet-stream (7.0 KB)

What am I missing, please guide.

Edit: server block

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.mysite.com;
    server_tokens off;
    root /home/wwwadt/www.mysite.com/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/www.mysite.com/1048699/server.crt;
    ssl_certificate_key /etc/nginx/ssl/www.mysite.com/1048699/server.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log  /var/log/nginx/www.mysite.com-access.log;
    error_log  /var/log/nginx/www.mysite.com-error.log error;

    error_page 404 /index.php;

    # New changes as per Richard's instructions
    location ~ ^/(wp-admin|wp-login\.php) {
        allow 72.1.1.1;
        allow 2400:abcd:1234:1234:1234:1234:1234:1234;
        deny all;

        # also tried this to serve but no luck
        try_files $uri $uri/ /index.php?$query_string;

        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}
Abdul Rehman
  • 1,662
  • 3
  • 22
  • 36
  • See [this answer](https://stackoverflow.com/questions/42559736/php-file-downloads-if-nginx-deny-rule-enabled/42561198#42561198). – Richard Smith Mar 26 '21 at 16:18
  • @RichardSmith thanks your answer works But, Now I get a new 403 with msg from logs "FastCGI sent in stderr: "Access to the script '/wp-admin/' has been denied (see security.limit_extensions)" while reading response header from upstream". The wp.login.php file works fine now with the deny rule – Abdul Rehman Mar 27 '21 at 00:26

1 Answers1

1

The protected location block needs to include the necessary statements to execute PHP scripts.

For example:

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

location ~ ^/(wp-admin|wp-login\.php) {
    allow 72.1.1.1;
    allow 2400:abcd:1234:1234:1234:1234:1234:1234;
    deny all;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }
}

location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
    fastcgi_index index.php;
    include fastcgi_params;
}

PHP only expects to see URIs which end with .php, so the location ~ \.php$ block is included as a nested location.

Richard Smith
  • 45,711
  • 6
  • 82
  • 81
  • OMG, finally I can't thank you enough. It differs a tiny bit from the answer in comments. On other forums and google searches, everywhere I see that specific code, but not this code in answer. Is anything changed in recent time? – Abdul Rehman Mar 27 '21 at 13:23
  • Where can I learn about these configurations for learning purpose. Can you suggest any beginners learning material? – Abdul Rehman Mar 27 '21 at 13:25
  • IDK, but `fastcgi_index` does not appear to be working as I would expect. But if you want learning materials, [I started here](http://nginx.org/en/docs/). – Richard Smith Mar 27 '21 at 14:06