Protecting Magento admin/downloader/api/rss

Its possible to protect your Magento admin and Magento Connect (downloader) without changing the URLs to something obscure. You can do it with a simple Nginx configuration entry.

We do not recommend changing your admin URI – security through obscurity is not security. Keeping the /admin URL allows for us to automatically apply WAF rules to protect your admin, allows us to auto tag admin requests, prioritise, set memory limits and timeouts and pass requests as necessary.

If your Magento admin URL is /admin, you can leverage a native feature of MageStack to secure your domain, you can simply add,

set $magestack_protect_admin true;

Similarly, you can protect Magento Connect (downloader) with the following,

set $magestack_protect_downloader true;

The RSS interface with,

set $magestack_protect_rss true;

The Magento 1 API interface with (do not use with Magento 2),

set $magestack_protect_api true;

Enabling protection globally

It is recommended to enable protection across the whole stack (then conditionally allow access per vhost), the global Nginx configuration file can be found in /microcloud/domains/.nginx-global-general.pre.conf.

Editing this file to add the following will ensure full protection for all vhosts.

set $magestack_protect_admin true;
set $magestack_protect_downloader true;
set $magestack_protect_rss true;

# Do not use API protection with Magento 2
set $magestack_protect_api true;

Then conditionally disable protection using the rules below by editing the vhost's respective ___general/example.com.conf file.

Accounting for custom admin URLs/routes

You should set custom admin routes/areas using the $magestack_is_admin variable, its best defining this conditionally by request URI.

Eg. For a custom admin URL of /backend

set $magestack_protect_admin true;

if ($request_uri ~* ^/(index\.php/)?backend/) {
  set $magestack_is_admin true;
}

Prior to SUPEE-6788, some Magento modules define their own custom admin routes, which bypass admin protection. You can ensure any old/legacy modules are appropriately set as admin by identifying for admin paths and setting the variable as appropriate,

set $magestack_protect_admin true;

if ($request_uri ~* ^/(index\.php/)?(module_admin|other_module_admin|another_module_admin)/) {
  set $magestack_is_admin true;
}

Toggle protection by condition

You can control whether protective mode is enabled or not for specific IPs, or user-agent's by modifying the ___general/example.com.conf configuration file.

Simply use conditional statements to set the respective variable to either off or on.

Toggle protection mode by IP

Replace 127.0.0.1 as necessary

set $magestack_protect_admin true;
set $magestack_protect_downloader true;

# Do not use API protection with Magento 2
set $magestack_protect_api true;

if ($remote_addr ~ (127.0.0.1)) {
  set $magestack_protect_admin false;
  set $magestack_protect_downloader false;
  set $magestack_protect_api false;
}

For multiple IPs, simply separate them via a pipe (this is standard perl regex format).

set $magestack_protect_admin true;
set $magestack_protect_downloader true;

# Do not use API protection with Magento 2
set $magestack_protect_api true;

if ($remote_addr ~ (127.0.0.1|172.16.0.1|10.0.0.1|192.168.0.1)) {
  set $magestack_protect_admin false;
  set $magestack_protect_downloader false;
  set $magestack_protect_api false;
}

Toggle protection mode by user agent

Or you could disable protection mode, by only enabling it for certain user agents.

set $magestack_protect_admin true;
set $magestack_protect_downloader true;

# Do not use API protection with Magento 2
set $magestack_protect_api true;

if ($http_user_agent ~ MSIE) {
  set $magestack_protect_admin false;
  set $magestack_protect_downloader false;
  set $magestack_protect_api false;
}

Create a special location (Eg. iS4BF0IUGp6rbuSoqyYq9a37RcA in this example, but replace for your own), that once visited in a browser will set a cookie for access. This allows for situations where a dynamic IP is present but admin protection is desired.

set $magestack_protect_admin true;
set $magestack_protect_downloader true;

# Do not use API protection with Magento 2
set $magestack_protect_api true;

location ~ ^/iS4BF0IUGp6rbuSoqyYq9a37RcA {
  add_header Set-Cookie "adminkey=iS4BF0IUGp6rbuSoqyYq9a37RcA;Max-Age=604800";
  rewrite ^(.*)$ /admin redirect;
  break;
}

if ($cookie_adminkey = "iS4BF0IUGp6rbuSoqyYq9a37RcA") {
  set $magestack_protect_admin false;
  set $magestack_protect_downloader false;
  set $magestack_protect_api false;
}