Protecting Magento admin/downloader/api/rss

Its possible to protect your Magento admin and Magento Connect (downloader) without changing the URLs to something obscure. You can do it with a simple Nginx configuration entry.

We do not recommend changing your admin URI – security through obscurity is not security. Keeping the /admin URL allows for us to automatically apply WAF rules to protect your admin, allows us to auto tag admin requests, prioritise, set memory limits and timeouts and pass requests as necessary.

If your Magento admin URL is /admin, you can leverage a native feature of MageStack by editing the ___general/example.com.conf for your domain, you can simply add,

set $magestack_protect_admin true;

Similarly, you can protect Magento Connect (downloader) with the following,

set $magestack_protect_downloader true;

Tthe API interface with,

set $magestack_protect_api true;

And the RSS interface with,

set $magestack_protect_rss true;

Accounting for custom admin URLs/routes

You should set custom admin routes/areas using the $magestack_is_admin variable, its best defining this conditionally by request URI.

Eg. For a custom admin URL of /backend

set $magestack_protect_admin true;

if ($request_uri ~* ^/(index\.php/)?backend/) {
  set $magestack_is_admin true;
}

Prior to SUPEE-6788, some Magento modules define their own custom admin routes, which bypass admin protection. You can ensure any old/legacy modules are appropriately set as admin by identifying for admin paths and setting the variable as appropriate,

set $magestack_protect_admin true;

if ($request_uri ~* ^/(index\.php/)?(module_admin|other_module_admin|another_module_admin)/) {
  set $magestack_is_admin true;
}

Toggle protection by condition

You can control whether protective mode is enabled or not for specific IPs, or user-agent's by modifying the ___general/example.com.conf configuration file.

Simply use conditional statements to set the respective variable to either off or on.

Toggle protection mode by IP

Replace 127.0.0.1 as necessary

set $magestack_protect_admin true;
set $magestack_protect_downloader true;
set $magestack_protect_api true;

if ($remote_addr ~ (127.0.0.1)) {
  set $magestack_protect_admin false;
  set $magestack_protect_downloader false;
  set $magestack_protect_api false;
}

For multiple IPs, simply separate them via a pipe (this is standard perl regex format).

set $magestack_protect_admin true;
set $magestack_protect_downloader true;
set $magestack_protect_api true;

if ($remote_addr ~ (127.0.0.1|172.16.0.1|10.0.0.1|192.168.0.1)) {
  set $magestack_protect_admin false;
  set $magestack_protect_downloader false;
  set $magestack_protect_api false;
}

Toggle protection mode by user agent

Or you could disable protection mode, by only enabling it for certain user agents.

set $magestack_protect_admin true;
set $magestack_protect_downloader true;
set $magestack_protect_api true;

if ($http_user_agent ~ MSIE) {
  set $magestack_protect_admin false;
  set $magestack_protect_downloader false;
  set $magestack_protect_api false;
}

Toggle protection mode by cookie

Create a special location (Eg. iS4BF0IUGp6rbuSoqyYq9a37RcA in this example, but replace for your own), that once visited in a browser will set a cookie for access. This allows for situations where a dynamic IP is present but admin protection is desired.

set $magestack_protect_admin true;
set $magestack_protect_downloader true;
set $magestack_protect_api true;

location ~ ^/iS4BF0IUGp6rbuSoqyYq9a37RcA {
  add_header Set-Cookie "adminkey=iS4BF0IUGp6rbuSoqyYq9a37RcA;Max-Age=604800";
  rewrite ^(.*)$ /admin redirect;
  break;
}

if ($cookie_adminkey = "iS4BF0IUGp6rbuSoqyYq9a37RcA") {
  set $magestack_protect_admin false;
  set $magestack_protect_downloader false;
  set $magestack_protect_api false;
}