justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nginx: stop blocking /admin (bot-scan rule matched our own dashboard)

Browse source 
The shared security snippet blocked any path matching /(admin|administrator|
login.action|struts) with 'return 444', which drops the connection. That bare
'admin' token also matched our own operations dashboard at /admin and the new
/admin/compliance-orders, so the browser showed 'This site can't be reached'.
Dropped the bare 'admin' token; administrator/login.action/struts stay blocked.
Applied live on prod (sudo edit + nginx reload); this updates the source of
truth so the ansible nginx role won't reintroduce it.
This commit is contained in:
justin 2026-06-16 00:05:54 -05:00
parent 48fab25840
commit d65f5ea279
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
infra/ansible/roles/nginx/templates/pw-security.conf.j2
View file

@ -36,7 +36,11 @@ location ~* /(phpmyadmin|pma|myadmin|mysql|adminer) {
return 444;
}
location ~* /(admin|administrator|login\.action|struts) {
# Block common attack-scanner paths. NOTE: do NOT include a bare "admin" here —
# our own operations dashboard lives at /admin and /admin/compliance-orders.
# "administrator" (Joomla), "login.action"/"struts" remain blocked and do not
# match our /admin path.
location ~* /(administrator|login\.action|struts) {
return 444;
}