Skip to content

New feature: enhance security with custom admin URL. #4264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

New feature: enhance security with custom admin URL. #4264

wants to merge 11 commits into from

Conversation

kiatng
Copy link
Contributor

@kiatng kiatng commented Oct 10, 2024
edited
Loading

Description (*)

Ref #1209 (comment), where I was trying to make use of the nginx config for admin without the use of caddy. For this, I needed the ability to have a custom admin URL, which is configurable here:

image

However, Custom Admin URL is not implemented. This PR is my attempt to complete the implementation.

When Custom Admin URL is used, frontend access to admin is forbidden in the function match() in app/code/core/Mage/Core/Controller/Varien/Router/Admin.php. This is independent of server config, which provides an alternate way:

magento-lts/dev/openmage/nginx-frontend.conf

Lines 150 to 154 in 5a95706

# Non-rewritten URLs, Admin and API are disabled for frontend
location /index.php/ { return 404; }
location ~ ^/admin(?:/(.*))?$ { return 404; }
location /api/ { return 404; }
location /api.php { return 404; }

Related Pull Requests

PR #1209

Manual testing scenarios (*)

  1. Add a separate host for admin, example nginx config:
server {
    listen 80;
    server_name admin.example.com;

    access_log /var/log/nginx/admin.example.com-access.log combined;
    error_log /var/log/nginx/admin.example.com-error.log;

    set $webroot /var/web/example; # OpenMage root

    include include/openmage-admin.conf; # See dev/openmage/nginx-admin.conf
}
  1. It's probably not feasible to set Custom Admin URL in admin. So add it directly to the table:
UPDATE `core_config_data` SET `value` = '1' WHERE `path` = 'admin/url/use_custom';
INSERT INTO `core_config_data` (`scope`, `scope_id`, `path`, `value`, `updated_at`) 
  VALUES ('default', '0', 'admin/url/custom', 'admin.example.com', CURRENT_TIMESTAMP);
  1. Navigate to admin.example.com/adminFrontName where adminFrontName is set in /etc/local.xml
  2. Navigate to main store www.example.com/adminFrontName should return 404 page not found.

Questions or comments

I am not sure if this is the best way to implement the custom admin URL. Collab welcome.

Possible issue for API in 3rd-party code because of

magento-lts/api.php

Line 38 in 5496d8a

Mage::init('admin');

As can be seen above, API is admin store, and if there is a Mage::getUrl() in the response params, the URL will not be accessible. There is no Mage::getUrl() in the core, but may be present in 3rd-party code/modules.

@github-actions github-actions bot added Component: Core Relates to Mage_Core Component: Adminhtml Relates to Mage_Adminhtml labels Oct 10, 2024
@kiatng kiatng marked this pull request as draft October 10, 2024 03:56
@sreichel
Copy link
Contributor

I did a quick test ...

It seems it needs some documentation. Changes to .htaccess etc ...

I tried with apache (DDEV), added addtional host names, but got redirected to frontend page.

@github-actions github-actions bot added the errors Relates to error pages label Oct 11, 2024
@kiatng kiatng marked this pull request as ready for review January 20, 2025 04:31
@sreichel
Copy link
Contributor

sreichel commented Jan 22, 2025
edited
Loading

Can you please combine the if statements as suggested?

@kiatng
Copy link
Contributor Author

kiatng commented Feb 13, 2025

This code is in production.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@sreichel
Copy link
Contributor

@kiatng cant login to admin with that change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Component: Adminhtml Relates to Mage_Adminhtml Component: Core Relates to Mage_Core errors Relates to error pages new feature security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kiatng @sreichel