how to prevent access to admin urls in Django?

Question

Django gives admin url automatically, such as www.example.com/admin. I do not want any outside visitors to access this url. This should be accessed only with in the host and allowed IP address. If I try to access to https://instagram.com/admin/ (which is built using Django),it gives 404 page not Found error How can I achieve the same behavior?

what is the preferred and right way to do it?

I host my webservice inwebfaction and allowing IP address of host means other webfaction account-holders might be able to access the admin URL which I dont want to. Looking for a neat and simple way

Thanks:

PS: I see a similar question posted here but that is with respect to PHP. I am wondering how can I acheive the same using Django?

Answer 1

One common method, which is advocated by Two Scoops of Django, is to change your admin url. Thus, rather than logging into your admin at www.example.com/admin/, you would log in at www.example.com/supers3cret4dm1n/ or something that you've set. This is likely what Instagram has done in your example.

Example code:

urlpatterns = patterns(''
    ...
    url(r'^supers3cret4dm1n/', include(admin.site.urls)), # Change the pattern to whatever you want here
    ...
)

Note that this doesn't make it accessible from only one IP address, but it does effectively 'hide' your admin login page.

Another tip is to use the django-admin-honeypot package. This sets up a fake admin page at www.example.com/admin while having your real admin page at another site that you've set. Then, django-admin-honeypot will alert you if anyone tries to hack your admin at the fake admin site.

EDIT:

If you're dead-set on restricting by IP address, here's a SO question and answer showing how to do it with nginx. I imagine it'd be similar with others.