Allow access to certain locations via IP whitelist only in NGINX

It's not working because regexps have higher priority than prefixes in nginx

https://nginx.ru/en/docs/http/ngx_http_core_module.html#location

To find location matching a given request, nginx first checks locations defined using the prefix strings (prefix locations). Among them, the location with the longest matching prefix is selected and remembered.

And here's the point:

Then regular expressions are checked, in the order of their appearance in the configuration file. The search of regular expressions terminates on the first match, and the corresponding configuration is used. If no match with a regular expression is found then the configuration of the prefix location remembered earlier is used

So this expression would handle all the requests

location ~ \.php$

One of the solutions might be to transform your prefix locations into regexps and move them upwards in the config files

Or use = modifier for urls you'd like to restrict access to

Also, using the “=” modifier it is possible to define an exact match of URI and location. If an exact match is found, the search terminates

More examples from the docs:

location = / {    [ configuration A ]}location / {    [ configuration B ]}location /documents/ {    [ configuration C ]}location ^~ /images/ {    [ configuration D ]}location ~* \.(gif|jpg|jpeg)$ {    [ configuration E ]}

The “/” request will match configuration A, the “/index.html” request will match configuration B, the “/documents/document.html” request will match configuration C, the “/images/1.gif” request will match configuration D, and the “/documents/1.jpg” request will match configuration E

Do try iTheme security plugin with custom login URL and google recaptcha plugin. It reduces the attack up to an extent. A month ago we were getting so many attacks on our site but now it's fine, it got reduced to 2 /week to none.

The easiest fix would be to use nested location

http{server {        server_name *.domain.com;        listen 80;        location ~ \.php$ {           location ~ /wp-login\.php$ {                deny all;           }           location ~ ^/wp-admin/ {                deny all;           }           return 200 "OK";        }}

And the test results are as below

$ curl vm/testing.phpOK%                                                                                                                                                                                         $ curl vm/wp-login.php<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.11.2.2</center></body></html> $ curl vm/wp-admin/index.php<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.11.2.2</center></body></html>