From c888e856f78ea2d652b3c777e439649ae2425c0b Mon Sep 17 00:00:00 2001
From: uffhitech <uffhitech@users.noreply.github.com>
Date: Thu, 26 Aug 2021 10:53:19 +0300
Subject: [PATCH] allow xmlrpc.php from localhost only

it is used only for an attacks now. I can confirm this configuration works fine in a real world
---
 .../provision/templates/nginx-config.mustache            | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/files/var/www/eqpress-www/provision/templates/nginx-config.mustache b/files/var/www/eqpress-www/provision/templates/nginx-config.mustache
index a4b6069..2726a94 100644
--- a/files/var/www/eqpress-www/provision/templates/nginx-config.mustache
+++ b/files/var/www/eqpress-www/provision/templates/nginx-config.mustache
@@ -18,6 +18,8 @@ server {
     }
 
     location ~* xmlrpc\.php {
+        allow 127.0.0.1;
+        deny all;
         include /etc/nginx/eqpress/common_login_limiter.conf;
     }
 
@@ -56,6 +58,13 @@ server {
 {{lua_config_root}}
         try_files $uri $uri/ /index.php?$args;
     }
+    
+    location ~* xmlrpc\.php {
+        allow 127.0.0.1;
+        deny all;
+        include /etc/nginx/eqpress/common_login_limiter.conf;
+    }
+
 
     location ~ \.php$ {
         location ~* wp\-login\.php {