Custom url for django admin
Question:
For an extra little bit of security I want to change the default django admin url to the custom one, e.g. change mysite.com/admin/ to mysite.com/mysecretadmin/ so that admin is completely unaccessible via default url.
I tried some solutions from the internet, for example I changed urls.py like this:
from django.conf.urls import patterns, url, include
from django.contrib import admin
admin.autodiscover()
urlpatterns = patterns('api.views',
...,
...,
url(r'^secret-admin-url/', include(admin.site.urls)),
)
Nothing worked for me, sadly. Does anyone know the solution? I use django 1.5.4.
Answers:
Refer to the section ‘Hooking AdminSite instances into your URLconf’ in the url
below
https://docs.djangoproject.com/en/dev/ref/contrib/admin/#hooking-adminsite-to-urlconf
If you do not want to use the default page /admin you can add a secret key to admin. So in urls.py
urlpatterns = [
path('admin_eTiOmEthelInEwathbace/', admin.site.urls,),
]
If in your template you have a link
<a href="{% url 'admin:index' %}">Admin</a>
then this will reference to the above site with url: http://127.0.0.1:8000/admin_eTiOmEthelInEwathbace/
Now you do not want to publish this secret_key, therefore get it from an environment variable with for example decouple, so urls.py then becomes
from decouple import config
SECRET_ADMIN = config('SECRET_ADMIN')
urlpatterns = [
path(f'admin_{SECRET_ADMIN}/', admin.site.urls,),
]
For those who find this question in recent times. Based on the Django 3.1 docs:
register the default AdminSite instance django.contrib.admin.site at the URL /admin/:
# main project urls.py
from django.contrib import admin
from django.urls import path
urlpatterns = [
path("admin/", admin.site.urls),
]
you can simply change the admin/ url to anything you wish:
urlpatterns = [
path("my_custom_url/", admin.site.urls),
]
If you want to prevent brute force or dictionary attack and your admin login page not accessible for unauthorized user,normal user. please follow this step:
First install django admin honeypot and signal
pip install django-admin-honeypot(inastall in settings.py)
pip install django-honeypot-signals(inastall in settings.py)
override this .txt file(because future tag is deprecated):
templates/honeypot_signals/notification.txt:
{% load i18n %}
{% blocktrans with site_name=site.name %}
{% endblocktrans %}
Invalid login attempt from your duplicate ADMIN panel..
• Review entry at http://{{ site.domain }}{% url "admin:admin_honeypot_loginattempt_change" object.id %}
Username: {{ object.username }}
IP: {{ object.ip_address }}
Timestamp: {{ object.timestamp }}
django-admin-honeypot make a fake admin login page and django honeypot signal send email to admin with credentials if any person try to access your fake admin login page.
How to access main admin login page?:
pip install django-decorator-include
Your main urls.py:
from django.contrib import admin
from django.urls import path
from django.urls.conf import include
from . import settings
from decorator_include import decorator_include
from django.contrib.auth.decorators import login_required, user_passes_test
from django.core.exceptions import PermissionDenied
from django.core.mail.message import EmailMessage
from datetime import datetime
from django.views.generic.base import RedirectView
def only_user():
def check(user):
if user.is_authenticated and user.is_superuser or user.is_staff:
return True
time = datetime.now()
message = f'----------------------------------nName: {user.username}nEmail: {user.email}nTime: {time}.n----------------------------------n • {user.username} is not a staff user or admin.For some security reasons..Please block this user from your admin panel(Blacklist).'
email = EmailMessage(
f' Alert!! {user.username} is try to accessing your admin panel!!',
message,
settings.EMAIL_HOST_USER,
[settings.EMAIL_HOST_USER],
)
email.fail_silently = False
email.send()
raise PermissionDenied
return user_passes_test(check)
urlpatterns = [
path('', include('product.urls')),
#This is all fake admin urls...
path('admin/', include('admin_honeypot.urls',
namespace='admin_honeypot')),
path('site/admin/',RedirectView.as_view(url='/admin')),
path('user/admin/',RedirectView.as_view(url='/admin')),
path('secure/admin/',RedirectView.as_view(url='/admin')),
path('mysite/admin/',RedirectView.as_view(url='/admin')),
path('admin/secure',RedirectView.as_view(url='/admin')),
path('real/admin/',RedirectView.as_view(url='/admin')),
#This is real admin login page url
path('custom_url/',
decorator_include([login_required, only_user()],
admin.site.urls)),
]
For this way you can not access directly your admin login page.. first you need to login your website and then accessible your admin panel..
How to protect website’s login page from the attackers?:
- Use django defender (https://django-defender.readthedocs.io/en/latest/)
---------------------OR-------------------------
- Use google hidden(ReCaptchaV2Invisible) recaptcha field
(https://pypi.org/project/django-recaptcha/)
If any unauthorized users terrible activity detected.You block their IP address or username by using this django package:
pip install django-blacklist
Read docs : django-blacklist
•sorry for my English
For an extra little bit of security I want to change the default django admin url to the custom one, e.g. change mysite.com/admin/ to mysite.com/mysecretadmin/ so that admin is completely unaccessible via default url.
I tried some solutions from the internet, for example I changed urls.py like this:
from django.conf.urls import patterns, url, include
from django.contrib import admin
admin.autodiscover()
urlpatterns = patterns('api.views',
...,
...,
url(r'^secret-admin-url/', include(admin.site.urls)),
)
Nothing worked for me, sadly. Does anyone know the solution? I use django 1.5.4.
Refer to the section ‘Hooking AdminSite instances into your URLconf’ in the url
below
https://docs.djangoproject.com/en/dev/ref/contrib/admin/#hooking-adminsite-to-urlconf
If you do not want to use the default page /admin you can add a secret key to admin. So in urls.py
urlpatterns = [
path('admin_eTiOmEthelInEwathbace/', admin.site.urls,),
]
If in your template you have a link
<a href="{% url 'admin:index' %}">Admin</a>
then this will reference to the above site with url: http://127.0.0.1:8000/admin_eTiOmEthelInEwathbace/
Now you do not want to publish this secret_key, therefore get it from an environment variable with for example decouple, so urls.py then becomes
from decouple import config
SECRET_ADMIN = config('SECRET_ADMIN')
urlpatterns = [
path(f'admin_{SECRET_ADMIN}/', admin.site.urls,),
]
For those who find this question in recent times. Based on the Django 3.1 docs:
register the default AdminSite instance django.contrib.admin.site at the URL /admin/:
# main project urls.py
from django.contrib import admin
from django.urls import path
urlpatterns = [
path("admin/", admin.site.urls),
]
you can simply change the admin/ url to anything you wish:
urlpatterns = [
path("my_custom_url/", admin.site.urls),
]
If you want to prevent brute force or dictionary attack and your admin login page not accessible for unauthorized user,normal user. please follow this step:
First install django admin honeypot and signal
pip install django-admin-honeypot(inastall in settings.py)
pip install django-honeypot-signals(inastall in settings.py)
override this .txt file(because future tag is deprecated):
templates/honeypot_signals/notification.txt:
{% load i18n %}
{% blocktrans with site_name=site.name %}
{% endblocktrans %}
Invalid login attempt from your duplicate ADMIN panel..
• Review entry at http://{{ site.domain }}{% url "admin:admin_honeypot_loginattempt_change" object.id %}
Username: {{ object.username }}
IP: {{ object.ip_address }}
Timestamp: {{ object.timestamp }}
django-admin-honeypot make a fake admin login page and django honeypot signal send email to admin with credentials if any person try to access your fake admin login page.
How to access main admin login page?:
pip install django-decorator-include
Your main urls.py:
from django.contrib import admin
from django.urls import path
from django.urls.conf import include
from . import settings
from decorator_include import decorator_include
from django.contrib.auth.decorators import login_required, user_passes_test
from django.core.exceptions import PermissionDenied
from django.core.mail.message import EmailMessage
from datetime import datetime
from django.views.generic.base import RedirectView
def only_user():
def check(user):
if user.is_authenticated and user.is_superuser or user.is_staff:
return True
time = datetime.now()
message = f'----------------------------------nName: {user.username}nEmail: {user.email}nTime: {time}.n----------------------------------n • {user.username} is not a staff user or admin.For some security reasons..Please block this user from your admin panel(Blacklist).'
email = EmailMessage(
f' Alert!! {user.username} is try to accessing your admin panel!!',
message,
settings.EMAIL_HOST_USER,
[settings.EMAIL_HOST_USER],
)
email.fail_silently = False
email.send()
raise PermissionDenied
return user_passes_test(check)
urlpatterns = [
path('', include('product.urls')),
#This is all fake admin urls...
path('admin/', include('admin_honeypot.urls',
namespace='admin_honeypot')),
path('site/admin/',RedirectView.as_view(url='/admin')),
path('user/admin/',RedirectView.as_view(url='/admin')),
path('secure/admin/',RedirectView.as_view(url='/admin')),
path('mysite/admin/',RedirectView.as_view(url='/admin')),
path('admin/secure',RedirectView.as_view(url='/admin')),
path('real/admin/',RedirectView.as_view(url='/admin')),
#This is real admin login page url
path('custom_url/',
decorator_include([login_required, only_user()],
admin.site.urls)),
]
For this way you can not access directly your admin login page.. first you need to login your website and then accessible your admin panel..
How to protect website’s login page from the attackers?:
- Use django defender (https://django-defender.readthedocs.io/en/latest/)
---------------------OR-------------------------
- Use google hidden(ReCaptchaV2Invisible) recaptcha field
(https://pypi.org/project/django-recaptcha/)
If any unauthorized users terrible activity detected.You block their IP address or username by using this django package:
pip install django-blacklist
Read docs : django-blacklist
•sorry for my English