djangodjango-adminwebfaction

how to prevent access to admin urls in Django?


Django gives admin url automatically, such as www.example.com/admin. I do not want any outside visitors to access this url. This should be accessed only with in the host and allowed IP address. If I try to access to https://instagram.com/admin/ (which is built using Django),it gives 404 page not Found error How can I achieve the same behavior?

what is the preferred and right way to do it?

I host my webservice inwebfaction and allowing IP address of host means other webfaction account-holders might be able to access the admin URL which I dont want to. Looking for a neat and simple way

Thanks:

PS: I see a similar question posted here but that is with respect to PHP. I am wondering how can I acheive the same using Django?


Solution

  • One common method, which is advocated by Two Scoops of Django, is to change your admin url. Thus, rather than logging into your admin at www.example.com/admin/, you would log in at www.example.com/supers3cret4dm1n/ or something that you've set. This is likely what Instagram has done in your example.

    Example code:

    urlpatterns = patterns(''
        ...
        url(r'^supers3cret4dm1n/', include(admin.site.urls)), # Change the pattern to whatever you want here
        ...
    )
    

    Note that this doesn't make it accessible from only one IP address, but it does effectively 'hide' your admin login page.

    Another tip is to use the django-admin-honeypot package. This sets up a fake admin page at www.example.com/admin while having your real admin page at another site that you've set. Then, django-admin-honeypot will alert you if anyone tries to hack your admin at the fake admin site.

    EDIT:

    If you're dead-set on restricting by IP address, here's a SO question and answer showing how to do it with nginx. I imagine it'd be similar with others.