Magento / Security

Protect Magento 1.x admin in Nginx setup

by , , revisited on

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

Secure Magento administrator interface in few easy steps. Whether you have changed default admin URL or not, it is still exposed to the web. Best thing you can do about this, is to limit access to it using IP restrictions.

Let’s restrict access to Magento admin to a set of trusted IPs.

Step 1. Create configuration file with trusted IP addresses

Create file /etc/nginx/allowed-ips-only.conf and put these contents:

allow; # My Home IP
allow; # My Work IP
allow; # Developer 1
deny all;

Step 2. Update your Magento nginx config

Now let’s update Nginx server block with few more location blocks to protect admin interface:

location ~ ^/(index\.php/)?admin/? {
    include allowed-ips-only.conf;
    try_files $uri $uri/ @handler;

location ~ ^/downloader/? {
    include allowed-ips-only.conf;

Lastly, if you are using WordPress integration (via FishPig plugin), add the following location block to protect WordPress admin interface too:

location ~ ^/wp/(wp-admin|wp-login\.php) {
    include allowed-ips-only.conf;

     try_files $uri $uri/ /wp/index.php;

    if (!-e $request_filename) { rewrite / /wp/index.php?$args last; } ## Catch 404s that try_files miss
    expires off; ## Do not cache dynamic content
    fastcgi_read_timeout 360;

    fastcgi_pass unix:/var/run/php-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

    fastcgi_buffer_size 128k;
    fastcgi_buffers 4 256k;
    fastcgi_busy_buffers_size 256k;

    client_max_body_size 32M;

    include fastcgi_params;    

Not only it secures your Magento store, but also you save extra CPU time that would otherwise be spent on serving those malicious hacker initiated requests!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: