ip allow deny 的 Nginx 配置开始下载文件和 403 文件夹访问

Nginx config for ip alow denny starts downloading files and 403 on folder access

我只想允许我的静态 ip 和 ipv6 访问文件夹及其内容并拒绝所有 这是我的配置。

location ~ /(wp-admin\/|wp-login\.php) {
    allow 72.1.1.1;
    allow 2400:abcd:1234:1234:1234:1234:1234:ba4b;

    deny all;
}

如果我删除 ipv6 行,它可以正常工作,return 403 forbidden on folder and files。 但是对于 ipv6,它开始下载每个 url 我点击有效与否。 错误:您已选择打开 - application/octet-stream (7.0 KB)

我漏了什么,请指点。

编辑:服务器块

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.mysite.com;
    server_tokens off;
    root /home/wwwadt/www.mysite.com/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/www.mysite.com/1048699/server.crt;
    ssl_certificate_key /etc/nginx/ssl/www.mysite.com/1048699/server.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log  /var/log/nginx/www.mysite.com-access.log;
    error_log  /var/log/nginx/www.mysite.com-error.log error;

    error_page 404 /index.php;

    # New changes as per Richard's instructions
    location ~ ^/(wp-admin|wp-login\.php) {
        allow 72.1.1.1;
        allow 2400:abcd:1234:1234:1234:1234:1234:1234;
        deny all;

        # also tried this to serve but no luck
        try_files $uri $uri/ /index.php?$query_string;

        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

受保护的 location 块需要包含执行 PHP 脚本所需的语句。

例如:

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

location ~ ^/(wp-admin|wp-login\.php) {
    allow 72.1.1.1;
    allow 2400:abcd:1234:1234:1234:1234:1234:1234;
    deny all;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }
}

location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php7.4-fpm-wwwadt.sock;
    fastcgi_index index.php;
    include fastcgi_params;
}

PHP 只希望看到以 .php 结尾的 URI,因此 location ~ \.php$ 块作为嵌套位置包含在内。