Magento / Security

Protect Magento 1.x admin in Nginx setup

by , , revisited on


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install NGINX, Varnish and lots of useful modules for them, this is your one stop repository to get all performance related software.
You have to maintain an active subscription in order to be able to use the repository!

Secure Magento administrator interface in few easy steps. Whether you have changed default admin URL or not, it is still exposed to the web. Best thing you can do about this, is to limit access to it using IP restrictions.

Let’s restrict access to Magento admin to a set of trusted IPs.

Step 1. Create configuration file with trusted IP addresses

Create file /etc/nginx/allowed-ips-only.conf and put these contents:

allow 1.1.1.1; # My Home IP
allow 2.2.2.2; # My Work IP
allow 3.3.3.3; # Developer 1
deny all;

Step 2. Update your Magento nginx config

Now let’s update Nginx server block with few more location blocks to protect admin interface:

location ~ ^/(index\.php/)?admin/? {
    include allowed-ips-only.conf;
    try_files $uri $uri/ @handler;
}

location ~ ^/downloader/? {
    include allowed-ips-only.conf;
}

Lastly, if you are using WordPress integration (via FishPig plugin), add the following location block to protect WordPress admin interface too:

location ~ ^/wp/(wp-admin|wp-login\.php) {
    include allowed-ips-only.conf;

     try_files $uri $uri/ /wp/index.php;

    if (!-e $request_filename) { rewrite / /wp/index.php?$args last; } ## Catch 404s that try_files miss
    expires off; ## Do not cache dynamic content
    fastcgi_read_timeout 360;

    fastcgi_pass unix:/var/run/php-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

    fastcgi_buffer_size 128k;
    fastcgi_buffers 4 256k;
    fastcgi_busy_buffers_size 256k;

    client_max_body_size 32M;

    include fastcgi_params;    
}

Not only it secures your Magento store, but also you save extra CPU time that would otherwise be spent on serving those malicious hacker initiated requests!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.