Nginx rules translation for Cookies For Comments

Rather than using…

location ~* wp-comments-post.php {
                if ($http_cookie !~* "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") {
                        return 403;
                        break;
                }
        }

Just use…

if ($http_cookie !~* "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") {
                        return 403;
                }

Try to avoid using if and location directives together. Sometimes they lead to unexpected results.

Thanks for that! Would you suggest putting that directive up above the location blocks in my Nginx rules then, @rahul286?

Order of directives doesn’t matter mostly.

AS far as I see you want to check 2 conditions. This can get tricky in nginx world!

I generally follow this path…

I will add a line like below

set $rb_cookie "${request_method}${request_uri}${cookie_COOKIENAME}" ;

This will set a variable with name “rb_cookie” with value “POST/wp-comments-post.phpXXXXXXXXXXXXXXXXXX”

Assuming /wp-comments-post.php is present in root i.e. wordpress is not in subfolder otherwise value may slightly change

Next, I will add a line like:

if ( $rb_cookie ~ "POST/wp-comments-post.phpXXXXXXXXXXXXXXXXXX" ){
 	 	 	#do something
    }

Above style saves me from evilness of if. Ref: https://wiki.nginx.org/IfIsEvil

Rahul: The earlier code sample runs a bit out of control since it’s not directed at a specific resource it simply blocks all access to the site with a 403 Forbidden error.

if ($http_cookie !~* "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") {
                        return 403;
                }

Would it help to look at the Apache rules to see how the same effect is achieved? This is what they tell you to use in your .htaccess file.

RewriteCond %{HTTP_COOKIE} !^.*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.*$
RewriteRule ^wp-comments-post.php - [F,L]

Using if-set is better way. if and location mix many time leads to strange behaviour.

Try…

set $rb_cookie "clean";

if ($http_cookie !~* "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") {
                        set $rb_cookie "spam";
                }

set $rb_kick  "${request_uri}${rb_cookie}";

if ($rb_kick = "/wp-comments-post.phpspam") {
                        return 403;
                }

Above is slightly longer way!

Your original way should work also.

Try….

location ~* wp-comments-post.php {
                if ($http_cookie !~* "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") {
                        return 403;
                        break;
                }

         ##copy some lines from location ~ .php$ {} block
		include fastcgi_params;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
        }

So what is the final solution?

Is there a problem blocking access site wide if the cookie isn’t present or should you really limit it to the wp-signup.php wp-login.php and wp-comments-post.php parts?