cancel
Showing results for 
Search instead for 
Did you mean: 

How to restrict access to Magento admin area by IP Address (Nginx)?

How to restrict access to Magento admin area by IP Address (Nginx)?

I  have tried 2 methods, both are not working:

 

location ~* ^/(index\.php/admin|admin) {
    allow 1.1.1.1;

    try_files $uri $uri/ /index.php?$args;
    location ~* \.php$ { try_files /dummy @proxy; }
    deny all;
}
location ~ "^/admin_" {

    allow 1.2.3.4;
    allow 1.2.3.5;
    allow 1.2.3.6;
    deny all;

    fastcgi_pass   unix:/var/run/php-fpm/example.com.sock;
    fastcgi_buffers 1024 4k;
    fastcgi_buffer_size 128k;

    fastcgi_param  PHP_FLAG  "session.auto_start=off \n suhosin.session.cryptua=off";
    fastcgi_param  PHP_VALUE "memory_limit=4G \n max_execution_time=600 \n max_input_vars=100000";
    fastcgi_read_timeout 600s;
    fastcgi_connect_timeout 600s;

    fastcgi_param  SCRIPT_FILENAME  $document_root/index.php;
    include        fastcgi_params;
}

I am using magento 2.3.6, and magento 2.4.2, and I plan to store ips in a text file, and ban all ips in the text.

 

tks.

5 REPLIES 5

Re: How to restrict access to Magento admin area by IP Address (Nginx)?

Hello @sinobest ,
have you checked the following blog? 

https://www.getastra.com/blog/cms/magento-security/restrict-access-magento-admin-area-ip-address-hta...

it has steps for both apache and Nginx.
Or try with the below code in your Nginx.conf file 

location ~* ^/(index\.php/bcknd|bcknd) {
    allow 1.1.1.1;

    try_files $uri $uri/ /index.php?$args;
    location ~* \.php$ { try_files /dummy @proxy; }
    deny all;
}

Thank You.
problem solved ? Accept as a solution and click kudos

Re: How to restrict access to Magento admin area by IP Address (Nginx)?

Before I tried the code under magento 2.4.2, the codes do not work. I have tried the codes again under Magento 2.3.6, the codes work wonderful.

Would you please retry the codes under magento 2.4.2? 

Re: How to restrict access to Magento admin area by IP Address (Nginx)?

Hello @sinobest ,

Are you getting any errors in  2.4.2?

If so share your errors here 
Thank you.

Re: How to restrict access to Magento admin area by IP Address (Nginx)?

not working under magento 2.4

Re: How to restrict access to Magento admin area by IP Address (Nginx)?

Steps to restrict IP addresses in Apache using .htaccess file

  1. Login to your server via cPanel/FTP/SSH and navigate to the root of your Magento installation
  2. Open the .htaccess file in your text editor and add the following code:
    RewriteCond %{REQUEST_URI} ^/(index.php/)?admin(.*) [NC]
    RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.10
    RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.12
    RewriteRule .* - [F,L]
    
  3. If you have changed the admin URL, update it in line #1 of the above code. Let us say your admin URL is ‘backoffice’ , line #1 will become:
    RewriteCond %{REQUEST_URI} ^/(index.php/)?backoffice(.*) [NC]
  4. For every IP address/range that should have access to the Admin area, you can add the following line after replacing the sample IP with yours:
    RewriteCond %{REMOTE_ADDR} !^10\.1\.1\.10
  5. Save the .htaccess file and verify the changes by accessing the Magento Admin area from your browser