On Wed, Apr 15, 2020 at 12:52:59PM +0200, Lawrence wrote: Hi there,
> To start, I am very much a beginner to nginx and coding. I am a application > support engineer, but got very little development skills. I don't know WordPress; but on the nginx side, what matters is the request that is made (the url, handled in a "location") and the way that you want nginx to handle that request. In nginx (in general), one request is handled in one location; only the configuration in, or inherited into, that location matters. Location-matching does not include the request query string. Inheritance is per directive, and is either by replacement or not at all. The "*_pass" directives are not inherited; the others are. There are exceptions to this description, but it is probably a good enough starting point to understanding the configuration that is needed. The documentation for any directive X can be found from http://nginx.org/r/X > My goal is to have the sites available but the access to all wp admin must be > limited. > below are a few of the solutions I found. Non seem to work fully. I assume it > is my understanding of nginx configuration. > > method #1 -- test unsuccessfully. In this case, does "unsuccessful" mean: the php file is not handled when it should be; or the php file is handled when it should not be; or something else? In general, it is good to be specific -- what request was made, what response was returned, and what response was wanted instead. So, with me not knowing WordPress, your mail and some brief web searching suggests that you want your nginx to do the following: * allow any access to any request that ends in ".php", except * restrict access to the request /wp-login.php and * restrict access to any php request that starts with /wp-admin/, except * allow any access to /wp-admin/admin-ajax.php where "restrict" is to be based on an infrequently-changing list of IP addresses or address ranges. And this is in addition to the normal "try_files" config to just get wordpress working. Is that an accurate description of the desired request / response handling mapping? If so, something like (untested): === include fastcgi.conf; # has fastcgi_param, etc, but not fastcgi_pass # Can directly paste the relevant lines here instead location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { location ~ ^/wp-admin/ { allow 192.168.1.0/24; deny all; fastcgi_pass unix:/run/php/php7.0-fpm.sock; } fastcgi_pass unix:/run/php/php7.0-fpm.sock; } location = /wp-login.php { allow 192.168.1.0/24; deny all; fastcgi_pass unix:/run/php/php7.0-fpm.sock; } location = /wp-admin/admin-ajax.php { fastcgi_pass unix:/run/php/php7.0-fpm.sock; } === looks like it should work. There are other ways to arrange things, and there is repetition here of the "allow" list; it may be simpler to maintain that list twice than to use another "include" file. If you are happy to test and report what fails, then it should be possible to end up with a suitable config. Good luck with it, f -- Francis Daly fran...@daoine.org _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
