I have rules similar to the following to deny access to my various control panels (using WordPress as the example here);

<Directory ~ "/var/www/.*/wp-admin">

        Order deny,allow
        Deny from all
        Allow from *.*.*

</Directory>

With a few IP blocks set up to allow access for me from my ISP (which happily changes my IP more than a narcissist looks at himself in the mirror, but anywho).

It seems that these rules are now voided since I finally got around to setting up an nginx proxy. I'm assuming Apache is only seeing the IP address that nginx is sending from (rpaf is set up and working).

Can I do this from nginx.conf?

location ~* wp-admin/?$ {
    allow *.*.*
    deny all
}

Is this right? Can I place it outside of server { } so it takes effect globally?

You can't do it globally as far as I know. location directives must be inside server directives.

However, you can put this piece of code in a separate file and include it to avoid code duplication.

Fooey! Shouldn't rpaf be passing the IP through? Or does it only work when it comes to logging the information?

It's not going to kill me to recreate my current setup but I wish I didn't have to.

what's your mod_rpaf configuration? It might need a recompile.

rpaf should replace the IP address. Did you configure nginx to pass the address to rpaf? Show us your nginx and rpaf configs. Also, what versions are you using?

My nginx conf for the site in question:

server {
        listen 69.164.207.5:80;
        limit_conn gulag 5;
        server_name mark.watero.us;

        access_log  /var/log/nginx/assets.access.log;

        location ~* \.(js|css|rdf|xml|ico|txt|gif|jpg|png|jpeg)$ {
                root   /var/www/watero.us/mark/;
                index  index.html;
                expires max;
        }

        location / {
            proxy_pass         http://69.164.193.193:80/;
            proxy_redirect     off;

            proxy_set_header   Host             $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

            client_max_body_size       10m;
            client_body_buffer_size    128k;

            proxy_connect_timeout      90;
            proxy_send_timeout         90;
            proxy_read_timeout         90;

            proxy_buffer_size          4k;
            proxy_buffers              4 32k;
            proxy_busy_buffers_size    64k;
            proxy_temp_file_write_size 64k;

        }

}

... and here's my rpaf:

<IfModule mod_rpaf.c>
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 69.164.207.5 192.168.*.*
</IfModule>

Since both IPs are on the same node, I wasn't sure if I actually needed to put anything there other than localhost, but I did anyways.

Both nginx and apache have been restarted ( a few times ) since these configurations were added.

Use:
RPAFproxy_ips 127.0.0.1

Also if you're apache isn't accepting connections from the outside world you can happily restrict it to listening on 127.0.0.1

It is. I've got a number of sites running off the same node right now and the nginx setup is experimenta. As of right now it's actually only serving static files for one domain and proxying for one other...

I have to get my dollars worth on that second IP.

Ah not sure then, the only thing I can see different between your config and mine is the ips, try taking the wild card out see if it makes a difference, if not recompile mod_rpaf I've seen that fix it before.