how to prevent access to admin urls in Django?

StackOverflow https://stackoverflow.com/questions/23395022

  •  12-07-2023
  •  | 
  •  

Pergunta

Django gives admin url automatically, such as www.example.com/admin. I do not want any outside visitors to access this url. This should be accessed only with in the host and allowed IP address. If I try to access to https://instagram.com/admin/ (which is built using Django),it gives 404 page not Found error How can I achieve the same behavior?

what is the preferred and right way to do it?

I host my webservice inwebfaction and allowing IP address of host means other webfaction account-holders might be able to access the admin URL which I dont want to. Looking for a neat and simple way

Thanks:

PS: I see a similar question posted here but that is with respect to PHP. I am wondering how can I acheive the same using Django?

Foi útil?

Solução

One common method, which is advocated by Two Scoops of Django, is to change your admin url. Thus, rather than logging into your admin at www.example.com/admin/, you would log in at www.example.com/supers3cret4dm1n/ or something that you've set. This is likely what Instagram has done in your example.

Example code:

urlpatterns = patterns(''
    ...
    url(r'^supers3cret4dm1n/', include(admin.site.urls)), # Change the pattern to whatever you want here
    ...
)

Note that this doesn't make it accessible from only one IP address, but it does effectively 'hide' your admin login page.

Another tip is to use the django-admin-honeypot package. This sets up a fake admin page at www.example.com/admin while having your real admin page at another site that you've set. Then, django-admin-honeypot will alert you if anyone tries to hack your admin at the fake admin site.

EDIT:

If you're dead-set on restricting by IP address, here's a SO question and answer showing how to do it with nginx. I imagine it'd be similar with others.

Outras dicas

simply you can treat the admin path as a secret, so set it as an environment variable in your system and then retrieve it (good approach if your source code is public).

ADMIN_URL_PATH = os.getenv('DJANGO_ADMIN_PATH')

urlpatterns = [
    ...
    path(ADMIN_URL_PATH, admin.site.urls)
    ...
]
Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top