Reputation: 31252
how to prevent access to admin urls in Django?
Django gives admin url automatically, such as www.example.com/admin.
I do not want any outside visitors to access this url. This should be accessed only with in the host and allowed IP address.
If I try to access to https://instagram.com/admin/ (which is built using Django),it gives 404 page not Found error
How can I achieve the same behavior?
what is the preferred and right way to do it?
I host my webservice inwebfaction and allowing IP address of host means other webfaction account-holders might be able to access the admin URL which I dont want to. Looking for a neat and simple way
Thanks:
PS: I see a similar question posted here but that is with respect to PHP. I am wondering how can I acheive the same using Django?
Upvotes: 7
Views: 7972
Answers (3)
Reputation: 870
You can create a custom middleware to restrict access based on IP. Place this code in a file like middleware.py in one of your apps. This setup will ensure that only requests from your VPN or allowed IP addresses can access the Django admin interface, thereby adding an extra layer of security. Hide your Django admin panel using Custom VPN from terraform
Upvotes: 1
Reputation: 11
simply you can treat the admin path as a secret, so set it as an environment variable in your system and then retrieve it (good approach if your source code is public).
ADMIN_URL_PATH = os.getenv('DJANGO_ADMIN_PATH')
urlpatterns = [
...
path(ADMIN_URL_PATH, admin.site.urls)
...
]
Upvotes: 0
Reputation: 8539
One common method, which is advocated by Two Scoops of Django, is to change your admin url. Thus, rather than logging into your admin at www.example.com/admin/, you would log in at www.example.com/supers3cret4dm1n/ or something that you've set. This is likely what Instagram has done in your example.
Example code:
urlpatterns = patterns(''
...
url(r'^supers3cret4dm1n/', include(admin.site.urls)), # Change the pattern to whatever you want here
...
)
Note that this doesn't make it accessible from only one IP address, but it does effectively 'hide' your admin login page.
Another tip is to use the django-admin-honeypot package. This sets up a fake admin page at www.example.com/admin while having your real admin page at another site that you've set. Then, django-admin-honeypot will alert you if anyone tries to hack your admin at the fake admin site.
EDIT:
If you're dead-set on restricting by IP address, here's a SO question and answer showing how to do it with nginx. I imagine it'd be similar with others.
Upvotes: 21
Related Questions
- How do I restrict access to admin pages in Django?
- How can I change the URL to the Django admin interface?
- How to restrict non staff users from accessing django-admin
- How to limit urls to admin users in Django
- creating admin restricted urls
- Django admin -- restricting access by user
- Limit access to a django admin site through apache
- Django admin login for particular url
- How do I make Django admin URLs accessible to localhost only?
- Block url for users not in staff. Django