If we want to simply lock down a specific location, we can do this as well. Consider this example where we take the server block directive from the Configuring NGINX for WordPress recipe in Chapter 2, Common PHP Scenarios and add additional authentication to the wp-admin directory and wp-login.php location:
location ~ ^(/wp-login.php|/wp-admin/) {
auth_basic "Restricted Area";
auth_basic_user_file /var/www/private/.htpasswd;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include fastcgi_params;
}
}
The configuration matches any request starting with (as denoted by the ^ symbol) either /wp-login.php or (|) /wp-admin/ and adds basic authentication. All other pages on the site don't contain any extra authentication and therefore load normally.
We also add a nested PHP location block, as NGINX won't process the declaration outside of the current location block. For neatness, you could also define this in a separate file once and then include it at each required location. This way, if you ever need to make changes, then it's only in one location.