Varnish + Nginx redirect issue (redirects to :8080)

I’m using WordPress with the Better WP Security plugin.

This plugin offers an option which doesn’t allow bots or anyone to log in at /wp-admin or /wp-login.

Read More

Instead, it requires that you visit a particular URL, say /secret-area, and from there it will redirect you to the following URL (notice the long key it appends):

/wp-admin?h28g8y28kknkwh28h3&redirect_to=/wp-admin/

That way bots that are scanning can’t find the common WordPress login paths.

The problem is that, when I have Varnish enabled, when I visit /secret-area the page tries to redirect to the following URL (which obviously doesn’t work):

example.com:8080/wp-login.php?h28g8y28kknkwh28h3&redirect_to=/wp-admin/

So it adds port 8080 which is what nginx is listening on as a backend.

The only thing I can imagine is that the Nginx config that the Better WP Security plugin wants you to add doesn’t take into account nginx not running on port 80…

So, I’m wondering if maybe you can see some problem with these rules? The part in question is near the bottom:

# BEGIN Better WP Security
    set $susquery 0;
    set $rule_2 0;
    set $rule_3 0;
    if ($request_method ~* "^(TRACE|DELETE|TRACK)"){ return 403; }
    location /wp-comments-post.php {
        valid_referers novalidreferrers;
        set $rule_0 0;
        if ($request_method ~ "POST"){ set $rule_0 1$rule_0; }
        if ($invalid_referer) { set $rule_0 2$rule_0; }
        if ($http_user_agent ~ "^$"){ set $rule_0 3$rule_0; }
        if ($rule_0 = "3210") { return 403; }
    }    if ($args ~* "../") { set $susquery 1; }
    if ($args ~* ".(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
    if ($args ~* "etc/passwd") { set $susquery 1; }
    if ($args ~* "boot.ini") { set $susquery 1; }
    if ($args ~* "ftp:") { set $susquery 1; }
    if ($args ~* "http:") { set $susquery 1; }
    if ($args ~* "https:") { set $susquery 1; }
    if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
    if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
    if ($args ~* "base64_encode") { set $susquery 1; }
    if ($args ~* "(%24&x)") { set $susquery 1; }
    if ($args ~* "([|]|(|)|<|>|ê|"|;|?|*|=$)"){ set $susquery 1; }
    if ($args ~* "("|'|<|>|\|{|||%24&x)"){ set $susquery 1; }
    if ($args ~* "(127.0)") { set $susquery 1; }
    if ($args ~* "(%0|%A|%B|%C|%D|%E|%F)") { set $susquery 1; }
    if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
    if ($args ~* "(request|select|insert|concat|union|declare)") { set $susquery 1; }
    if ($http_cookie !~* "wordpress_logged_in_" ) {
        set $susquery 2$susquery;
        set $rule_2 1;
        set $rule_3 1;
    }
    if ($args !~ "^loggedout=true") { set $susquery 3$susquery; }
    if ($susquery = 4321) { return 403; }
    rewrite ^/login/?$ /wp-login.php?h28g8y28kknkwh28h3 redirect;
    if ($rule_2 = 1) { rewrite ^/admin/?$ /wp-login.php?h28g8y28kknkwh28h3&redirect_to=/wp-admin/ redirect; }
    if ($rule_2 = 0) { rewrite ^/admin/?$ /wp-admin/?h28g8y28kknkwh28h3 redirect; }
    rewrite ^/register/?$ /wp-login.php?h28g8y28kknkwh28h3&action=register redirect;
    if ($uri !~ "^(.*)admin-ajax.php") { set $rule_3 2$rule_3; }
    if ($http_referer !~* wp-admin ) { set $rule_3 3$rule_3; }
    if ($http_referer !~* wp-login.php ) { set $rule_3 4$rule_3; }
    if ($http_referer !~* login ) { set $rule_3 5$rule_3; }
    if ($http_referer !~* admin ) { set $rule_3 6$rule_3; }
    if ($http_referer !~* register ) { set $rule_3 7$rule_3; }
    if ($args !~ "^action=logout") { set $rule_3 8$rule_3; }
    if ($args !~ "^h28g8y28kknkwh28h3") { set $rule_3 9$rule_3; }
    if ($args !~ "^action=rp") { set $rule_3 0$rule_3; }
    if ($args !~ "^action=register") { set $rule_3 a$rule_3; }
    if ($args !~ "^action=postpass") { set $rule_3 b$rule_3; }
    if ($rule_3 = ba0987654321) {
        rewrite ^(.*/)?wp-login.php /not_found redirect;
        rewrite ^/wp-admin(.*)$ /not_found redirect;
    }
# END Better WP Security

Related posts

Leave a Reply

1 comment

  1. Such a simple solution………………… these are the moments I live for.

    For anyone else who has the same problem:

    port_in_redirect off;

    Put that in your nginx config in your server block. Presto, all redirects work now with varnish and nginx.