The original post: /r/nginx by /u/mohil-makwana31 on 2025-03-12 13:13:29.

I have deployed a FastAPI application on an AWS EC2 instance behind Nginx. Recently, I’ve noticed suspicious automated traffic attempting to access non-existent PHP endpoints like /wp-login.php or /index.php. These requests originate from varying IP addresses; each day they come from different IPs, making manual blocking challenging.

I need guidance on configuring Nginx to achieve the following:

Allowed endpoints (examples):

• api.xyz.com/user/12
• api.xyz.com/porta/po/1

Blocked endpoints (examples of suspicious requests):

• /admin
• /wp-login.php
• /index.php
• Any other unspecified paths

Questions:

1. How can I configure Nginx to explicitly allow requests only to the above paths and automatically block all other requests efficiently, without manually specifying each individual unauthorized path?
2. Given these repeated suspicious PHP-related requests from changing IP addresses each day, what’s the best practice to monitor and effectively block this suspicious traffic?
3. Since AWS WAF is costly, what alternative cost-effective solutions or tools (e.g., Fail2Ban, rate limiting, custom Nginx rules) can I implement to further secure my FastAPI backend?

I’d appreciate practical configuration examples or best practices to enhance security effectively.