RT Cunningham


Access Control for a Website and a Single User with the Nginx Web Server

Nginx - Access Control Access control for a website and a single user is extremely easy with the Nginx web server. While it isn’t as easy with multiple users, the same methods can still work. It just takes some effort in coordination.

Access Control for the Admin Section

You can prevent access to everyone but yourself to the admin section of your website. You need four things: SSL (HTTPS), a good login routine, the ability to manually create web cookies and the Nginx configuration code for access control conditions.

There are extensions for Chrome and Firefox that let you manually create web cookies in their respective web browsers. On the desktop anyway. The Android version of Chrome doesn’t support extensions yet. I can’t tell you when it will, so it’s best to use something else on Android phones.

The extension I use on Chrome is EditThisCookie. On Firefox, it’s Cookie Manager. You may need to study cookie components in PHP and JavaScript but the extensions will do everything you want them to do.

Access Control Nginx Configuration Code

The access control code for Nginx needs more than a small bit of explanation. Using WordPress as an example, the Nginx configuration code should look something like this:

if ($request_uri ~* (/wp-admin|\.php))        { set $kill_uri 1; }
if ($request_uri = ^/path-to/something.php)   { set $kill_uri 0; }
if ($cookie_NAME = VALUE)                     { set $kill_uri 0; }
if ($kill_uri)                                { return 403; }

The first line denies access to all of the admin section and all PHP files. The second line allows access to a specific PHP file (like the processing file for a contact form). You can allow more than one, of course. The third line is the format for examining a specific cookie. The NAME part of the “$cookie_NAME” is the actual name of the cookie. The VALUE is the actual value of the cookie, naturally.

The “Check and Reject” section of my article on stopping comment spam on WordPress uses similar code.

Access Control and My Homegrown CMS

I tested all of this while working on my personal, homegrown CMS. It uses a manual web cookie as well as a session cookie. Because SSL encapsulates cookies, neither can be exploited as long as they’re set properly.

There are two ways to handle multiple users, such as multiple authors. One is no access at all. Everything is put in place by the owner or lead author. The other way is to have additional authors set up their own manual web cookies and add their parameters to the Nginx code. While either way would work with WordPress, my CMS only works with the first way.

My homegrown CMS is almost ready to go. Access control is now the furthest thing from my mind. Before I make it publicly available (if I make it publicly available), I need to make sure it works the way I want it to work. It could take a few more days or it could take a few more weeks. I’m not in a hurry.

Share:    

RT Cunningham
September 25, 2018
Web Development