Can I deny in nginx based by URI and IP?

Question

Basically I have an wordpress site (with a ecommerce store and a social login). I have denied all access to wp-login.php based on ip address. The problem is that social login uses this wp-login file. So I wonder if is possible to: - block almost all queries to wp-login.php by ip address and allow by ip only specific queries. Meaning
wp-login.php allow 1 ip deny all
wp-login.php?action=lostpassword allow 1 ip deny all
wp-login.php?action=rp&key=.*?&login=.* allow 1 ip deny all
.
.
wp-login.php?ywsl_social=google allow all ip's
wp-login.php?ywsl_social=twitter allow all ip's

Something like this:

location = /wp-login.php {
    if ($query_string = "ywsl_social=google|ywsl_social=twitter") 
        {
            allow all;
            fastcgi_pass   unix:/var/sockets/sock.sock;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
            fastcgi_param HTTPS on;
    }
    else {
            allow 1.1.1.1;
            deny all;
            fastcgi_pass   unix:/var/sockets/sock.sock;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
            fastcgi_param HTTPS on;
        }

The first location block is enough. But, please add the following as the first line inside the location block... `if ($query_string = "") { return 403; }`. It basically checks if the query string is empty and if empty, forbids the visit. — Pothi Kalimuthu, May 14 '16 at 15:01
Thanks, Ponthi, but i was interested to block almost all queries to wp-login.php by ip address and allow by ip only specific queries. Meaning wp-login.php blocked by ip, `wp-login.php?action=lostpassword` blocked by ip, `wp-login.php?action=rp&key=.*?&login=.*` blocked by ip. // `wp-login.php?ywsl_social=google` allow all ip's . something like `location = /wp-login.php {if ($query_string = "ywsl_social=google|ywsl_social=twitter") { allow all;} else {allow 1.1.1.1; deny all; ... } }` — Alex, May 15 '16 at 11:51
I guess map directive might work for this use case. But, please update your original question regarding additional info you provided in the comment. I also think that certain things could have been done effectively using Apache especially when we have more conditions to check. Nginx can do very little with its IF directive. Sorry for deviating away from the original question. — Pothi Kalimuthu, May 15 '16 at 12:34
Thanks man, will look into map. Sorry I didn't explained better from begining. — Alex, May 15 '16 at 12:56

Can I deny in nginx based by URI and IP?

0 Answers0