From 7c3fb8fffd4b1e5eb7583d236f7f10957f790097 Mon Sep 17 00:00:00 2001
From: Edi Septriyanto <me@masedi.net>
Date: Mon, 6 Dec 2021 22:16:43 +0700
Subject: [PATCH] Fix issue #118

---
 etc/nginx/nginx.conf                     |  2 +-
 etc/nginx/vhost/site_wordpress-bwps.conf | 44 ++++++++++++++++--------
 etc/nginx/vhost/site_wordpress-ms.conf   |  6 ++--
 3 files changed, 33 insertions(+), 19 deletions(-)

diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
index 501fa38b..d4a1e2ef 100644
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@@ -89,7 +89,7 @@ http {
     # SSL map.
     include /etc/nginx/fastcgi_https_map;
 
-    # Let NGINX get the real client IP for its access logs. You can move this to server{} block.
+    # Let NGiNX get the real client IP for its access logs. You can move this to server{} block.
     # Uncomment if you're using frontend http accelerator or loadbalancer such as haproxy/varnish.
     #include /etc/nginx/http_proxy_ips;
 
diff --git a/etc/nginx/vhost/site_wordpress-bwps.conf b/etc/nginx/vhost/site_wordpress-bwps.conf
index 75aad7c2..7e739f15 100644
--- a/etc/nginx/vhost/site_wordpress-bwps.conf
+++ b/etc/nginx/vhost/site_wordpress-bwps.conf
@@ -1,9 +1,3 @@
-## WP + BWPS plugin rewrite rules.
-# Designed to be included in any server {} block.
-
-# Include Wordpress single-site configuration.
-include /etc/nginx/vhost/site_wordpress.conf;
-
 # BEGIN Better WP Security
 
 # COMMENTED as restrictions already handled by default LEMPer configuration.
@@ -58,19 +52,39 @@ if ($http_cookie !~* "wordpress_logged_in_" ) {
 if ($args !~ "^loggedout=true") { set $susquery 3$susquery; }
 if ($susquery = 4321) { return 403; }
 
-rewrite ^/login/?$ /wp-login.php?np5eou1moyhmux2kmzyps redirect;
+#rewrite ^/login/?$ /wp-login.php?np5eou1moyhmux2kmzyps redirect;
+location ~ ^/login/?$ {
+    return 302 /wp-login.php?np5eou1moyhmux2kmzyps;
+}
 
-if ($rule_2 = 1) { rewrite ^/dashboard/?$ /wp-login.php?np5eou1moyhmux2kmzyps&redirect_to=/wp-admin/ redirect; }
-if ($rule_2 = 0) { rewrite ^/dashboard/?$ /wp-admin/?np5eou1moyhmux2kmzyps redirect; }
+#if ($rule_2 = 1) { rewrite ^/dashboard/?$ /wp-login.php?np5eou1moyhmux2kmzyps&redirect_to=/wp-admin/ redirect; }
+#if ($rule_2 = 0) { rewrite ^/dashboard/?$ /wp-admin/?np5eou1moyhmux2kmzyps redirect; }
+location ~ ^/dashboard/?$ {
+    if ($rule_2 = 1) { return 302 /wp-login.php?np5eou1moyhmux2kmzyps&redirect_to=/wp-admin/; }
+    if ($rule_2 = 0) { return 302 /wp-admin/?np5eou1moyhmux2kmzyps; }
+}
 
-rewrite ^/register/?$ /wp-login.php?np5eou1moyhmux2kmzyps&action=register redirect;
+#rewrite ^/register/?$ /wp-login.php?np5eou1moyhmux2kmzyps&action=register redirect;
+location ~ ^/register/?$ {
+    return 302 /wp-login.php?np5eou1moyhmux2kmzyps&action=register;
+}
 
 if ($uri !~ "^(.*)admin-ajax.php") { set $rule_3 2$rule_3; }
-if ($http_referer !~* wp-admin ) { set $rule_3 3$rule_3; }
-if ($http_referer !~* wp-login.php ) { set $rule_3 4$rule_3; }
-if ($http_referer !~* login ) { set $rule_3 5$rule_3; }
-if ($http_referer !~* dashboard ) { set $rule_3 6$rule_3; }
-if ($http_referer !~* register ) { set $rule_3 7$rule_3; }
+
+#if ($http_referer !~* wp-admin ) { set $rule_3 3$rule_3; }
+#if ($http_referer !~* wp-login.php ) { set $rule_3 4$rule_3; }
+#if ($http_referer !~* login ) { set $rule_3 5$rule_3; }
+#if ($http_referer !~* dashboard ) { set $rule_3 6$rule_3; }
+#if ($http_referer !~* register ) { set $rule_3 7$rule_3; }
+map $http_referer $rule_3 {
+    default $rule_3;
+    !~*/wp-admin/ 3$rule_3;
+    !~*/wp-login.php 4$rule_3;
+    !~*/login 5$rule_3;
+    !~*/dashboard 6$rule_3;
+    !~*/register 7$rule_3;
+}
+
 if ($args !~ "^action=logout") { set $rule_3 8$rule_3; }
 if ($args !~ "^np5eou1moyhmux2kmzyps") { set $rule_3 9$rule_3; }
 if ($args !~ "^action=rp") { set $rule_3 0$rule_3; }
diff --git a/etc/nginx/vhost/site_wordpress-ms.conf b/etc/nginx/vhost/site_wordpress-ms.conf
index 79c54d51..1e7c0e2a 100644
--- a/etc/nginx/vhost/site_wordpress-ms.conf
+++ b/etc/nginx/vhost/site_wordpress-ms.conf
@@ -6,9 +6,9 @@ include /etc/nginx/vhost/site_wordpress.conf;
 
 # Directive to avoid php readfile() for WordPress Multisite.
 # The $root_path variable must be predefined in your vhost config file, use 'set' inside server{} block or 'map' before server{} block.
-location ^~ /blogs.dir {
+location ^~ /blogs.dir/ {
     internal;
-    alias $root_path/wp-content/blogs.dir;
+    alias $root_path/wp-content/blogs.dir/;
     access_log off;
     log_not_found off;
     expires max;
@@ -24,7 +24,7 @@ location ~ ^/[_0-9a-zA-Z-]+/files/(.*)$ {
 
 # Rewrite multisite '.../wp-.*' and '.../*.php'.
 if (!-e $request_filename) {
-    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
+    rewrite /wp-admin$ $scheme://$host$request_uri/ permanent;
     rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last;
     rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last;
 }