wordpress - 仅在 NGINX 中允许通过 IP 白名单访问某些位置

Question

我正在使用 Sucuri Scanner 通知我登录尝试失败，目前我每天收到大约 50 多封电子邮件。我尝试了几种不同的方法来阻止访问 wp-login.php 和 wp-admin 没有任何运气，因为我认为这些规则可能不适用于子域(或者通常只是糟糕)。

server {
    # Primary domain, secondary domain and subdomains are explicitly 
    # declared so that I can generate certs using CertBot
    server_name primarydomain.com
                secondarydomain.com
                subdomain1.primarydomain.com
                subdomain2.primarydomain.com
                subdomain3.primarydomain.com;

    client_max_body_size 20M;
    root /home/username/www/primarydomain.com/public_html;
    index index.php;
    error_log /home/username/www/primarydomain.com/logs/error.log error;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;
        include fastcgi.conf;
    }

    # This doesn't seem to block access
    location /wp-login.php {
        allow XXX.XXX.XXX.XXX;    # this is my ipaddress
        deny all;
    }

    # This doesn't seem to block access    
    location /wp-admin/ {
        deny all;
        allow XXX.XXX.XXX.XXX;    # this is my ipaddress
    }

    # This doesn't seem to block access
    location ~ ^/(wp-admin|wp-login\.php) {
        deny all;
        allow XXX.XXX.XXX.XXX;    # this is my ipaddress
    }
}

Answer 1

它不起作用，因为 regexps 的优先级高于 nginx 中的前缀

https://nginx.ru/en/docs/http/ngx_http_core_module.html#location

To find location matching a given request, nginx first checks locations defined using the prefix strings (prefix locations). Among them, the location with the longest matching prefix is selected and remembered.

重点是:

Then regular expressions are checked, in the order of their appearance in the configuration file. The search of regular expressions terminates on the first match, and the corresponding configuration is used. If no match with a regular expression is found then the configuration of the prefix location remembered earlier is used

所以这个表达式会处理所有的请求

location ~ \.php$

解决方案之一可能是将您的 prefix 位置转换为正则表达式并将它们在配置文件中向上移动

或者对您想要限制访问的网址使用 = 修饰符

Also, using the “=” modifier it is possible to define an exact match of URI and location. If an exact match is found, the search terminates

文档中的更多示例:

location = / {
    [ configuration A ]
}

location / {
    [ configuration B ]
}

location /documents/ {
    [ configuration C ]
}

location ^~ /images/ {
    [ configuration D ]
}

location ~* \.(gif|jpg|jpeg)$ {
    [ configuration E ]
}

The “/” request will match configuration A, the “/index.html” request will match configuration B, the “/documents/document.html” request will match configuration C, the “/images/1.gif” request will match configuration D, and the “/documents/1.jpg” request will match configuration E