I have a Wordpress multisite installation and I have some bots hammering the home pages. I would like to set a rate limit only on the home page(s) of the site(s) but leave the other pages unlimited.
My trouble is crafting an NGINX location that will match the home page's "blank" address of /index.php I can limit the entire site by matching "/" but that's not what I need.
I've tried using "index" as a defined location, but that does not work. Is there a trick I'm missing? This is a difficult case to search for, because most selective limiting questions are from people doing the opposite, people limiting resources with more specific addresses such as login scripts.
Here is what I have tried:
limit_req_zone $binary_remote_addr zone=mainlimit:10m rate=1r/m;
server {
# SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
server_name example.com www.example.com;
client_max_body_size 120M;
root /usr/share/nginx/example;
index index.php index.html index.htm;
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
#subdomain multi site with wp in 'wp' subdir
if (!-e $request_filename) {
# Redirect wp-* files/folders
rewrite ^(/[^/]+)?(/wp-.*) /wp/$2 last;
# Redirect other php files
rewrite ^(/[^/]+)?(/.*\.php) /wp/$2 last;
}
location index { #THIS DOES NOT MATCH THE HOME PAGE
limit_req zone=mainlimit burst=3 nodelay;
try_files $uri $uri/ /index.php?$args ;
}
location / {
#limit_req zone=mainlimit burst=3 nodelay; THIS MATCHES EVERYTHING
try_files $uri $uri/ /index.php?$args ;
}
location ~* /wp-content/uploads/.*\.php$ {
return 503;
}
location ~* /data/.*\.php$ {
return 503;
}
***MORE STUFF...