-
-
Notifications
You must be signed in to change notification settings - Fork 449
New feature: enhance security with custom admin URL. #4264
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
I did a quick test ... It seems it needs some documentation. Changes to .htaccess etc ... I tried with apache (DDEV), added addtional host names, but got redirected to frontend page. |
Can you please combine the if statements as suggested? |
This code is in production. |
|
|
@kiatng cant login to admin with that change. |
Description (*)
Ref #1209 (comment), where I was trying to make use of the nginx config for admin without the use of caddy. For this, I needed the ability to have a custom admin URL, which is configurable here:
However, Custom Admin URL is not implemented. This PR is my attempt to complete the implementation.
When Custom Admin URL is used, frontend access to admin is forbidden in the function
match()
in app/code/core/Mage/Core/Controller/Varien/Router/Admin.php. This is independent of server config, which provides an alternate way:magento-lts/dev/openmage/nginx-frontend.conf
Lines 150 to 154 in 5a95706
Related Pull Requests
PR #1209
Manual testing scenarios (*)
admin.example.com/adminFrontName
whereadminFrontName
is set in /etc/local.xmlwww.example.com/adminFrontName
should return 404 page not found.Questions or comments
I am not sure if this is the best way to implement the custom admin URL. Collab welcome.
Possible issue for API in 3rd-party code because of
magento-lts/api.php
Line 38 in 5496d8a
As can be seen above, API is admin store, and if there is a
Mage::getUrl()
in the response params, the URL will not be accessible. There is noMage::getUrl()
in the core, but may be present in 3rd-party code/modules.