Login/Register
how to prevent access to admin urls in Django?
Asked Answered
Solved djangodjango-adminwebfaction
V

3

7

Django gives admin url automatically, such as www.example.com/admin. I do not want any outside visitors to access this url. This should be accessed only with in the host and allowed IP address. If I try to access to https://instagram.com/admin/ (which is built using Django),it gives 404 page not Found error How can I achieve the same behavior?

what is the preferred and right way to do it?

I host my webservice inwebfaction and allowing IP address of host means other webfaction account-holders might be able to access the admin URL which I dont want to. Looking for a neat and simple way

Thanks:

PS: I see a similar question posted here but that is with respect to PHP. I am wondering how can I acheive the same using Django?

Vacancy answered 30/4, 2014 at 18:1 Comment(1)
You could build a decorator around the admin URLs -- either manually by reproducing the URLs or perhaps programmatically using something like this: https://mcmap.net/q/365403/-is-it-possible-to-decorate-include-in-django-urls-with-login_required. The decorator could then check for whitelisted IP addresses or return a 404.Cleopatra
M
21

One common method, which is advocated by Two Scoops of Django, is to change your admin url. Thus, rather than logging into your admin at www.example.com/admin/, you would log in at www.example.com/supers3cret4dm1n/ or something that you've set. This is likely what Instagram has done in your example.

Example code:

urlpatterns = patterns(''
    ...
    url(r'^supers3cret4dm1n/', include(admin.site.urls)), # Change the pattern to whatever you want here
    ...
)

Note that this doesn't make it accessible from only one IP address, but it does effectively 'hide' your admin login page.

Another tip is to use the django-admin-honeypot package. This sets up a fake admin page at www.example.com/admin while having your real admin page at another site that you've set. Then, django-admin-honeypot will alert you if anyone tries to hack your admin at the fake admin site.

EDIT:

If you're dead-set on restricting by IP address, here's a SO question and answer showing how to do it with nginx. I imagine it'd be similar with others.

Munoz answered 30/4, 2014 at 18:15 Comment(2)
what you suggested seems reasonable rather than playing around with IP addressVacancy
But that still doesnt stop bots from crawling the URL. And if you dissallow that in robots.txt, then anyone who looks at robots file can find the URL.Picked
H
1

You can create a custom middleware to restrict access based on IP. Place this code in a file like middleware.py in one of your apps. This setup will ensure that only requests from your VPN or allowed IP addresses can access the Django admin interface, thereby adding an extra layer of security. Hide your Django admin panel using Custom VPN from terraform

Hylan answered 19/9, 2024 at 12:49 Comment(0)
B
0

simply you can treat the admin path as a secret, so set it as an environment variable in your system and then retrieve it (good approach if your source code is public).

ADMIN_URL_PATH = os.getenv('DJANGO_ADMIN_PATH')

urlpatterns = [
    ...
    path(ADMIN_URL_PATH, admin.site.urls)
    ...
]
Bilander answered 21/1, 2023 at 20:33 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.