And with the question about the password protection of the admin panel, how to close it?

M

Michael2019-10-15 19:44:35

Nginx

Michael, 2019-10-15 19:44:35

Again 25.
Today I accidentally came across in the logs that bots just skip the protection
https://mysite.ru/admin/ - a window pops up that does not allow you to download anything without entering a login / password - everything is OK here
but the bots stupidly type https://mysite .ru/admin/login.php and voila - we immediately get to the login / password page from the admin panel

location /admin {
        try_files $uri $uri/ =404;
        auth_basic "Restricted Content";
        auth_basic_user_file /var/www/mysite.ru/.htpasswd;
        }

Where to dig?
It is necessary that no user could call any file without going through the initial authorization and only then the authorization of the admin panel

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

alex1478, 2019-10-15
@happy-cat

Moved the correct answer from the discussion.

location /admin/ {
     auth_basic           "closed site";
     auth_basic_user_file /etc/nginx/htpasswd;
     location ~ \.php$ {
       include snippets/fastcgi-php.conf;
       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
     }
   }