django admin的自定义网址

时间:2014-06-11 11:44:43

标签: python django security url admin

为了获得额外的安全性,我想将默认的django管理网址更改为自定义网址,例如将mysite.com/admin/更改为mysite.com/mysecretadmin/,以便通过默认网址完全无法访问管理员。

我尝试了一些来自互联网的解决方案,例如我更改了urls.py:

from django.conf.urls import patterns, url, include
from django.contrib import admin
admin.autodiscover()

urlpatterns = patterns('api.views',
    ...,
    ...,
    url(r'^secret-admin-url/', include(admin.site.urls)),
)

遗憾的是,对我来说没有任何作用。有谁知道解决方案?我使用django 1.5.4。

4 个答案:

答案 0 :(得分:3)

请参阅网址中的“将AdminSite实例挂钩到您的URLconf”部分 下面 https://docs.djangoproject.com/en/dev/ref/contrib/admin/#hooking-adminsite-to-urlconf

答案 1 :(得分:2)

如果您不想使用默认页面# Case B2: new capacity C < c && C >= h: # 0 t h C c # v v v v v # +----+----+----+----+ # | u1 | f1 | u2 | u3 | # +----+----+----+----+ # Split u2 into (u2, u3) # a: (keep head): maybe move (left part of) u1 to f1, # move u3 to u1 (and possibly f1), updating t # b: (keep tail): possibly adjust h, extending f1 and dropping parts of # (u2, u3, u1), move u1 to f1, freeing (part of) u1 and updating t, # move (part of) u3 to u1 # Case B3: new capacity C < h && C >= t: # 0 t C h c # v v v v v # +----+----+----+----+ # | u1 | f1 | f2 | u2 | # +----+----+----+----+ # Split f1 into (f1, f2) # a: (keep head): move (left part of ) u1 to f1, updating t, # then (left part of) u2 to u1, updating h # b: (keep tail): move (right part of ) u1 to f1, updating t, # then (right part of) u2 to u1, updating h # Case B4: new capacity C < t && C >= 0: # 0 C t h c # v v v v v # +----+----+----+----+ # | u1 | u3 | f1 | u2 | # +----+----+----+----+ # Split u1 into (u1, u3) # a: (keep head): move (left part of ) u2 to u1, updating h and t # b: (keep tail): move (right part of ) u3 to u1, updating h and t ,则可以向管理员添加密钥。所以在/admin 

urls.py

如果您在模板中有一个链接

urlpatterns = [
    path('admin_eTiOmEthelInEwathbace/', admin.site.urls,),
]

这将引用上面的网址,网址为:<a href="{% url 'admin:index' %}">Admin</a>

现在您不想发布此http://127.0.0.1:8000/admin_eTiOmEthelInEwathbace/,因此可以从环境变量中获取它,例如secret_key,因此decouple会变成

urls.py

答案 2 :(得分:0)

对于最近一次发现此问题的人 Dajngo 3.1 (就像我一样)。

基于Django文档:

在URL / admin / 中注册默认的 AdminSite 实例 django.contrib.admin.site 

# main project urls.py
from django.contrib import admin
from django.urls import path

urlpatterns = [
    path('admin/', admin.site.urls),
]

您只需将admin/网址更改为您想要的任何内容:

urlpatterns = [
    path('my_custom_url/', admin.site.urls),
]

答案 3 :(得分:0)

如果要防止暴力破解或字典攻击,并且未经授权的用户(普通用户)无法访问您的管理员登录页面。请按照以下步骤操作:

•对不起我的英语不好

首先安装django admin honeypot并发出信号 

pip install django-admin-honeypot(inastall in settings.py)
pip install django-honeypot-signals(inastall in settings.py)

覆盖此.txt文件(因为已弃用未来标签):

模板/honeypot_signals/notification.txt: 

{% load i18n %}
{% blocktrans with site_name=site.name %}
{% endblocktrans %}

Invalid login attempt from your duplicate ADMIN panel..
• Review entry at http://{{ site.domain }}{% url "admin:admin_honeypot_loginattempt_change" object.id %} 

Username: {{ object.username }}
IP: {{ object.ip_address }}
Timestamp: {{ object.timestamp }}

django-admin-honeypot创建一个伪造的管理员登录页面,如果有人尝试访问您的伪造的admin登录页面,则django honeypot信号会向管理员发送带有凭据的电子邮件。

如何访问管理员主要登录页面?:

  • pip install django-decorator-include

您的主要urls.py: 

from django.contrib import admin
from django.urls import path
from django.urls.conf import include
from . import settings
from decorator_include import decorator_include
from django.contrib.auth.decorators import login_required, user_passes_test
from django.core.exceptions import PermissionDenied
from django.core.mail.message import EmailMessage
from datetime import datetime
from django.views.generic.base import RedirectView

def only_user():
    def check(user):
        if user.is_authenticated and user.is_superuser or user.is_staff:
            return True
        
        time = datetime.now()
        message = f'----------------------------------\nName: {user.username}\nEmail: {user.email}\nTime: {time}.\n----------------------------------\n • {user.username} is not a staff user or admin.For some security reasons..Please block this user from your admin panel(Blacklist).'
        
        email = EmailMessage(
                            f'???Alert!! {user.username} is try to accessing your admin panel!!', 
                            message,
                            settings.EMAIL_HOST_USER,
                            [settings.EMAIL_HOST_USER], 
                            )
        email.fail_silently = False
        email.send()
        
        raise PermissionDenied
    return user_passes_test(check)

urlpatterns = [  
                 
    path('', include('product.urls')),
    
    #This is all fake admin urls...
    path('admin/', include('admin_honeypot.urls', 
          namespace='admin_honeypot')),
    path('site/admin/',RedirectView.as_view(url='/admin')),
    path('user/admin/',RedirectView.as_view(url='/admin')),
    path('secure/admin/',RedirectView.as_view(url='/admin')),
    path('mysite/admin/',RedirectView.as_view(url='/admin')),
    path('admin/secure',RedirectView.as_view(url='/admin')),
    path('real/admin/',RedirectView.as_view(url='/admin')),
    
    #This is real admin login page url
    path('custom_url/', 
         decorator_include([login_required, only_user()], 
         admin.site.urls)),

]

通过这种方式,您不能直接访问您的管理员登录页面。.首先,您需要登录您的网站,然后才能访问您的管理面板。.

如何保护网站的登录页面不受攻击? 

 - Use django defender (https://django-defender.readthedocs.io/en/latest/)
 ---------------------OR-------------------------
 - Use google hidden(ReCaptchaV2Invisible) recaptcha field 
 (https://pypi.org/project/django-recaptcha/)

如果检测到任何未经授权的用户可怕的活动。您可以使用以下django软件包阻止其IP地址或用户名:

pip install django-blacklist

阅读文档:django-blacklist

相关问题
最新问题