how to prevent access to admin urls in Django?

StackOverflow https://stackoverflow.com/questions/23395022

  •  12-07-2023
  •  | 
  •  

Question

Django gives admin url automatically, such as www.example.com/admin. I do not want any outside visitors to access this url. This should be accessed only with in the host and allowed IP address. If I try to access to https://instagram.com/admin/ (which is built using Django),it gives 404 page not Found error How can I achieve the same behavior?

what is the preferred and right way to do it?

I host my webservice inwebfaction and allowing IP address of host means other webfaction account-holders might be able to access the admin URL which I dont want to. Looking for a neat and simple way

Thanks:

PS: I see a similar question posted here but that is with respect to PHP. I am wondering how can I acheive the same using Django?

Était-ce utile?

La solution

One common method, which is advocated by Two Scoops of Django, is to change your admin url. Thus, rather than logging into your admin at www.example.com/admin/, you would log in at www.example.com/supers3cret4dm1n/ or something that you've set. This is likely what Instagram has done in your example.

Example code:

urlpatterns = patterns(''
    ...
    url(r'^supers3cret4dm1n/', include(admin.site.urls)), # Change the pattern to whatever you want here
    ...
)

Note that this doesn't make it accessible from only one IP address, but it does effectively 'hide' your admin login page.

Another tip is to use the django-admin-honeypot package. This sets up a fake admin page at www.example.com/admin while having your real admin page at another site that you've set. Then, django-admin-honeypot will alert you if anyone tries to hack your admin at the fake admin site.

EDIT:

If you're dead-set on restricting by IP address, here's a SO question and answer showing how to do it with nginx. I imagine it'd be similar with others.

Autres conseils

simply you can treat the admin path as a secret, so set it as an environment variable in your system and then retrieve it (good approach if your source code is public).

ADMIN_URL_PATH = os.getenv('DJANGO_ADMIN_PATH')

urlpatterns = [
    ...
    path(ADMIN_URL_PATH, admin.site.urls)
    ...
]
Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top