Set nginx.conf to deny all connections except to certain files or directories
The easiest path would be to start out by denying all access, then only granting access to those directories you want. As ring0 pointed out, you can use the default (default_server in 0.8) flag on the listen directive. However, if you already have a server you want to use as a default for unknown named access to your host, you can also just catch requests without a host header or with your server's ip address with something like this (replacing 1.2.3.4 with your server's ip:
upstream _php {
server unix:/var/run/php-fpm/php-fpm.sock;
}
server {
server_name "" 1.2.3.4;
root /path/to/root;
index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# deny everything that doesn't match another location
location / { deny all; }
# allow loading /index.php
location = / { } # need to allow GET / to internally redirect to /index.php
location = /index.php { fastcgi_pass _php; }
# allow access to phpmyadmin
location /phpmyadmin/ { } # Allow access to static files in /phpmyadmin/
location ~ ^/phpmyadmin/.*\.php$ { fastcgi_pass _php; } # phpmyadmin php files
}
the fastcgi_params will be inherited by both locations that fastcgi_pass, and only /index.php and /phpmyadmin/ are allowed. I've also added an upstream block for php, which makes it easier should you ever need to add to or change it in the future.
Creative use of the location and deny rules negated in regex, something like:
location / {
root html;
index index.html index.htm index.php;
}
location ~* !^/(index.(php|html|htm)$)|(phpmyadmin/) {
deny all;
}
location ~ \.php$ {
root html;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /srv/http/nginx/$fastcgi_script_name;
include fastcgi_params;
}
That's untested but you get the idea.
http://wiki.nginx.org/HttpAccessModule
http://wiki.nginx.org/HttpCoreModule#location
Also, this may help you write it:
http://www.regextester.com/