6

Django gives admin url automatically, such as www.example.com/admin. I do not want any outside visitors to access this url. This should be accessed only with in the host and allowed IP address. If I try to access to https://instagram.com/admin/ (which is built using Django),it gives 404 page not Found error How can I achieve the same behavior?

what is the preferred and right way to do it?

I host my webservice inwebfaction and allowing IP address of host means other webfaction account-holders might be able to access the admin URL which I dont want to. Looking for a neat and simple way

Thanks:

PS: I see a similar question posted here but that is with respect to PHP. I am wondering how can I acheive the same using Django?

Community
  • 1
  • 1
brain storm
  • 30,124
  • 69
  • 225
  • 393
  • You could build a decorator around the admin URLs -- either manually by reproducing the URLs or perhaps programmatically using something like this: http://stackoverflow.com/a/18411661/1345536. The decorator could then check for whitelisted IP addresses or return a 404. – Travis D. Apr 30 '14 at 18:46

2 Answers2

19

One common method, which is advocated by Two Scoops of Django, is to change your admin url. Thus, rather than logging into your admin at www.example.com/admin/, you would log in at www.example.com/supers3cret4dm1n/ or something that you've set. This is likely what Instagram has done in your example.

Example code:

urlpatterns = patterns(''
    ...
    url(r'^supers3cret4dm1n/', include(admin.site.urls)), # Change the pattern to whatever you want here
    ...
)

Note that this doesn't make it accessible from only one IP address, but it does effectively 'hide' your admin login page.

Another tip is to use the django-admin-honeypot package. This sets up a fake admin page at www.example.com/admin while having your real admin page at another site that you've set. Then, django-admin-honeypot will alert you if anyone tries to hack your admin at the fake admin site.

EDIT:

If you're dead-set on restricting by IP address, here's a SO question and answer showing how to do it with nginx. I imagine it'd be similar with others.

Community
  • 1
  • 1
Alex
  • 8,321
  • 1
  • 34
  • 30
  • what you suggested seems reasonable rather than playing around with IP address – brain storm Apr 30 '14 at 18:37
  • 2
    But that still doesnt stop bots from crawling the URL. And if you dissallow that in robots.txt, then anyone who looks at robots file can find the URL. – sql-noob Jul 23 '17 at 15:31
0

simply you can treat the admin path as a secret, so set it as an environment variable in your system and then retrieve it (good approach if your source code is public).

ADMIN_URL_PATH = os.getenv('DJANGO_ADMIN_PATH')

urlpatterns = [
    ...
    path(ADMIN_URL_PATH, admin.site.urls)
    ...
]
Bedo
  • 3
  • 2