How to make NGINX WordPress multisite and phpmyadmin friends?

D

Dubrovin2020-05-02 16:06:30

Nginx

Dubrovin, 2020-05-02 16:06:30

For multisite, the config is registered:

if (!-e $request_filename) {
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
    rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last;
    rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last;
}

With this config, when I go to SITE/phpmyadmin, I get an error 404.
How can I make sure that when the location contains phpmyadmin, these rules do not work?

nginx.conf config

user www-data;
pid /var/run/nginx.pid;

worker_processes 2;
worker_rlimit_nofile 65535;

events {
  multi_accept on;
  worker_connections 65535;
  use epoll;
}

http {
  charset utf-8;

  sendfile on;
  tcp_nodelay on;
  tcp_nopush on;

  server_tokens off;
  log_not_found off;

  types_hash_max_size 2048;
  client_max_body_size 128m;

  keepalive_timeout 100;
  proxy_request_buffering off;

  # MIME types
  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  # Logging
  error_log /var/log/nginx/error.log warn;
  access_log /var/log/nginx/access.log;

  # GZIP
  gzip on;
  gzip_comp_level 6;
  gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
  gzip_proxied any;
  gzip_vary on;
  gzip_disable "msie6";
  
  # Open files cache
  open_file_cache max=1000 inactive=20s;
  open_file_cache_valid 30s;
  open_file_cache_min_uses 2;
  open_file_cache_errors on;

  # FastCGI buffers
  fastcgi_temp_file_write_size 10m;
  fastcgi_busy_buffers_size 32k;
  fastcgi_buffer_size 32k;
  fastcgi_buffers 8 16k;

  # FastCGI read timeout fix
  fastcgi_read_timeout 600;

  # SSL
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 1d;
  ssl_session_tickets on;
  ssl_buffer_size 8k;

  # Mozilla Intermediate configuration
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

  # Diffie-Hellman parameter for DHE ciphersuites
  ssl_dhparam /etc/ssl/certs/dhparam4096.pem;

  # OCSP Stapling
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
  resolver_timeout 2s;

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/vhosts/*/*.conf;

  server {
    server_name localhost;
    disable_symlinks if_not_owner;
    listen 80;
    listen [::]:80;
    
    include /etc/nginx/vhosts-includes/*.conf;

    location @fallback {
      error_log /dev/null crit;
      proxy_pass http://127.0.0.1:8080;
      proxy_redirect http://127.0.0.1:8080 /;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      access_log off ;
    }
  }
}

File vhosts-includes/phpmyadmin.conf

location /phpmyadmin {
  alias /usr/share/phpmyadmin;
  index index.php;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
  alias /usr/share/phpmyadmin/$1;
  error_page 404 @apache;
}
location ~ ^/phpmyadmin/(.+\.php)$ {
  alias /usr/share/phpmyadmin/$1;
  fastcgi_pass unix:/var/run/php-fpm.www-data.sock;
  fastcgi_index index.php;
  fastcgi_param SCRIPT_FILENAME $request_filename;
  include fastcgi_params;
  error_page 502 = @apache;
  error_page 404 = @apache;
}
location @apache {
  error_log /dev/null crit;
  proxy_pass http://127.0.0.1:8080;
  proxy_redirect http://127.0.0.1:8080 /;
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
}
location ^~ /phpmyadmin/setup {
  deny all;
}

vhosts/website/website.conf file

# HTTP redirect
server {
  server_name website.com www.website.com;

  return 301 https://$host:443$request_uri;
  listen X.X.X.X:80 default_server;
}

server {
  server_name website.com www.website.com;
  ssl_certificate "/var/www/httpd-cert/website/website.com.crtca";
  ssl_certificate_key "/var/www/httpd-cert/website/website.com.key";

  charset UTF-8;
  index index.php index.html;
  disable_symlinks if_not_owner from=$root_path;
  include /etc/nginx/vhosts-includes/*.conf;
  include /etc/nginx/vhosts-resources/website.com/*.conf;
  access_log /var/www/httpd-logs/website.com.access.log;
  error_log /var/www/httpd-logs/website.com.error.log notice;
  set $root_path /var/www/website/data/www/website.com;
  root $root_path;

  location / {
    try_files $uri $uri/ /index.php?$query_string;

    location ~ [^/]\.ph(p\d*|tml)$ {
      try_files /does_not_exists @php;
    }
  }

  # favicon.ico
  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }

  # robots.txt
  location = /robots.txt {
    log_not_found off;
    access_log off;
  }

  # assets, media
  location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
    expires 7d;
    access_log off;
  }

  # svg, fonts
  location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
    add_header Access-Control-Allow-Origin "*";
    expires 7d;
    access_log off;
  }

  # WordPress: allow TinyMCE
  location = /wp-includes/js/tinymce/wp-tinymce.php {
    try_files /does_not_exists @php;
  }

  # WordPress: deny wp-content, wp-includes php files
  location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
    deny all;
  }

  # WordPress: deny wp-content/uploads nasty stuff
  location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
    deny all;
  }

  # WordPress: deny scripts and styles concat
  location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
    deny all;
  }

  # WordPress: deny general stuff
  location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
    deny all;
  }

  # . files
  location ~ /\.(?!well-known) {
    deny all;
  }

  # IP restriction for wp-admin
  location ~ ^/wp-admin {
    allow X.X.X.X;
    deny all;
  }

  location ~ /wp-admin/admin-ajax.php {
    allow all;
  }

  # Rewrite multisite '.../wp-.*' and '.../*.php'.
  if (!-e $request_filename) {
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
    rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last;
    rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last;
  }

  # security headers
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-XSS-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header Referrer-Policy "no-referrer-when-downgrade" always;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  #add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;

  location @php {
    fastcgi_index index.php;
    fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f webmaster@website.com";
    fastcgi_pass unix:/var/www/php-fpm/website.sock;
    fastcgi_split_path_info ^((?U).+\.ph(?:p\d*|tml))(/?.+)$;

    try_files $uri =404;
    include fastcgi_params;
  }

  listen X.X.X.X:443 ssl default_server http2 fastopen=256;
}

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

K

ky0, 2020-05-02
@ky0

How can I make it so that when the location contains phpmyadmin, these rules do not work?

Place this if in another location, obviously.