CDN Exclusions: how to exclude wp-login.php

Hi Jooeis!
THis is what I put in my .htaccess file to allow only static (non-.php files) to be served from those domains:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^cd0\.(.*)$ [NC]
RewriteCond %{REQUEST_URI} !\.(bmp|css|gif|jpe|jpeg|jpg|js|otf|png|swf|tif|tiff|ttf|webm|webp|woff|woff2)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^cd1\.(.*)$ [NC]
RewriteCond %{REQUEST_URI} !\.(bmp|css|gif|jpe|jpeg|jpg|js|otf|png|swf|tif|tiff|ttf|webm|webp|woff|woff2)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^cd2\.(.*)$ [NC]
RewriteCond %{REQUEST_URI} !\.(bmp|css|gif|jpe|jpeg|jpg|js|otf|png|swf|tif|tiff|ttf|webm|webp|woff|woff2)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^cd3\.(.*)$ [NC]
RewriteCond %{REQUEST_URI} !\.(bmp|css|gif|jpe|jpeg|jpg|js|otf|png|swf|tif|tiff|ttf|webm|webp|woff|woff2)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^cd4\.(.*)$ [NC]
RewriteCond %{REQUEST_URI} !\.(bmp|css|gif|jpe|jpeg|jpg|js|otf|png|swf|tif|tiff|ttf|webm|webp|woff|woff2)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^cd5\.(.*)$ [NC]
RewriteCond %{REQUEST_URI} !\.(bmp|css|gif|jpe|jpeg|jpg|js|otf|png|swf|tif|tiff|ttf|webm|webp|woff|woff2)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [L,R=301]
</IfModule>

The cdns are named cd0.-cd5.dailygawk.com, etc. And these file extensions are the only ones permitted:
.bmp, .css, .gif, .jpe, .jpeg, .jpg, .js, .otf, .png, .swf, .tif, .tiff, .ttf, .webm, .webp, .woff, .woff2
I suppose that I could have used a wildcard as cd(.*) but I didn’t. Why fix it if it works.
I hope that this helps!

• This reply was modified 3 years, 4 months ago by Brian Brown, Ph.D..

@apiosys, thank you! We’re really happy to hear that. The CDN Exclusions setting is used when checking the URL about to be rewritten. For example, each exclusion would be compared against https://www.example.com/wp-content/uploads/example.jpg and not the actual page URL it is being delivered on, such as https://www.example.com/wp-login.php.

CDN Enabler does have the cdn_enabler_bypass_rewrite hook that can be used to bypass the rewrite. This could be used to bypass the rewrite from occurring on the login page. For example, the following could be added to your website, like in your functions.php file:

add_filter( 'cdn_enabler_bypass_rewrite', 'filter_cdn_enabler_bypass_rewrite' );

function filter_cdn_enabler_bypass_rewrite( $bypass_rewrite ) {

    $login_page = ( strpos( $_SERVER['REQUEST_URI'], '/wp-login.php' ) === 0 );

    if ( $login_page ) {
        return true;
    }

    return $bypass_rewrite;
}

Thanks both for your quick answer. @coreyk your solution seemed to me the most elegant. I’ve implemented it in my functions.php of the active theme but it has no effect I’m afraid… I still get the page served like so:

$ curl -I https://cdn.mydomain.com/wp-login.php
HTTP/2 200

The main issue I have with this is that the page being accessed like this, uses the IP from the CDN and not the client. And since I ban IP’s based on failed login attempts (and normal humans will never access this URL since they would simply go to mydomain.com/wp-admin) I end up banning the IP ranges from my CDN servers and thus not serving static content anymore…

@brianbrown thus I implemented your solution which did n’t appear nice to me at first sight but is probably much better in the sense that we let handle Apache throwing the redirect rather than WP which is probably safer, faster and less ressource consuming. And now I properly get:

$ curl -I https://cdn.mydomain.com/wp-login.php
HTTP/2 301 
location: https://www.mydomain.com/wp-login.php

which is exactly what I want. The CDN IP shows only once when hitting the page and then it is the client’s IP doing the rest and can thus get safely banned if this was an attack.

Here the snippet as I use it since only one CNAME for CDN and wanting the URL’s prefixed with www to be consistent with the rest of the site and added support for mp4 files:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^cdn\.(.*)$ [NC]
RewriteCond %{REQUEST_URI} !\.(bmp|css|gif|jpe|jpeg|jpg|js|otf|png|swf|tif|tiff|ttf|webm|webp|woff|woff2|mp4)$ [NC]
RewriteRule ^(.*)$ https://www.%1/$1 [L,R=301]
</IfModule>

It’s good enough for me, got rid of those annoying attackers using my CDN like this.

Thanks.

Joris.

Oops, I misunderstood your request, @apiosys. My apologies. What you’re trying to accomplish can’t actually be done with the CDN Enabler plugin. The snippet I shared above just controls whether or not URLs are rewritten in the rewrite (like the URLs in your HTML). This rewrite process most often takes place a page is generated by WordPress. It doesn’t prevent the CDN itself from accessing assets on your origin server.

Currently the CDN Enabler plugin is only capable of rewriting URLs to be from the site hostname(s) to the CDN hostname. If you want to block the CDN itself from accessing certain assets on your origin server, such as your login page at https://cdn.yourdomain.com/wp-login.php, then you’ll need to configure your origin server to return a certain response when the CDN attempts to request /wp-login.php. Most commonly that is any PHP file or asset outside the scope you allow as shown above by @brianbrown. It looks like you did just that. ?? (A common response I recommend for assets that you don’t want the CDN accessing is 403.)

And thank you @brianbrown for your fast, correct assistance in this thread. That’s appreciated.

• This reply was modified 3 years, 4 months ago by Anonymous User 16850768. Reason: clarification

Makes sense. Thanks again both.