Directus后台安全配置:更改admin目录
特别不理解,Directus的后台默认地址是admin且无法更改,默认情况打开根目录即可跳转到后台地址/admin,如果没有公共资源如API、图片、文件等我们只需要绑定一个私密的域名即可。
但凡是有任意一条请求在前端就可以轻松暴露管理后台地址,以引用directus系统内上传的一个图片为例“https://directus.yourdomain.com/assets/xxx.jpg”,我们只需要打开http://www.directus.yourdomain.com这个地址即可跳转到管理页,这是相当危险的。
在github官方社区里面很早就有人提出过这个需求:
但最终都以投票数不足为由被官方放弃:
It has been over 90 days, and this discussion has not received at least 15 votes from the community. This means that we don't feel like there's enough community interest to warrant further R&D into this topic at this time.
最终方案
最终在这里我找到了用nginx代理来解决这个问题,思路是使用nginx配置两套域名分别独立代理指向同一个directus项目:
- 私有 – https://admin.yourdomain.com – 用于管理员使用
- 公共 – https://api.example.com – 用于公开的内容,/admin路径需要被禁止访问
在nginx公共代理区域中禁用/admin访问的方法:
location /admin {
error_page 404 @message;
}
location @message {
default_type application/json;
set $new_uri "";if ($request_uri ~ "^([^?]*)(\?.*)?$") {set $new_uri $1;}
return 404 '{"errors":[{"message":"Route $new_uri doesn\'t exist.","extensions":{"code":"ROUTE_NOT_FOUND"}}]}';
}这时候我们访问公共部分就会得到这样的提示
{"errors":[{"message":"Route / doesn't exist.","extensions":{"code":"ROUTE_NOT_FOUND"}}]}
最终nginx的配置如下所示,以域名towait.com为例(请自行修改):
#@public/api.towait.com
server {
server_name api.towait.com;
location / {
proxy_pass http://localhost:7055;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /admin {
error_page 404 @message;
}
location @message {
default_type application/json;
set $new_uri "";if ($request_uri ~ "^([^?]*)(\?.*)?$") {set $new_uri $1;}
return 404 '{"errors":[{"message":"Route $new_uri doesn\'t exist.","extensions":{"code":"ROUTE_NOT_FOUND"}}]}';
}
}
#@private/api.towait.com
server {
server_name admin-xxx.towait.com;
location / {
proxy_pass http://localhost:7055;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}总结
为了你的directus更加安全,强烈推荐要做好以下:
1.开启https
强烈推荐使用certbot生成ssl证书为网站开启https,不知道怎么做的可以参考在Ubuntu中为Nginx部署自动续期的Let's Encrypt服务
在上面不管是用于暴露在前端公共资源,还是用于后端私有管理,我们都推荐启用https
sudo certbot --nginx -d api.towait.com -d xxx.towait.com
输出:
certbot --nginx -d admin-xxx.towait.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for admin-xxx.towait.com Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/admin-xxx.towait.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/admin-xxx.towait.com/privkey.pem This certificate expires on 2023-09-20. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for admin-xxx.towait.com to /etc/nginx/sites-enabled/default Congratulations! You have successfully enabled HTTPS on https://admin-xxx.towait.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
命令执行后会为nginx server{}中生成证书配置项
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/admin-xxx.towait.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/admin-xxx.towait.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot2.设置复杂的admin地址
为了避免社会工程学攻克,千万不要使用有意义的词汇组合,这严重违反密码学安全常识,这里强烈推荐使用网站:https://randomkeygen.com/来生成各种组合直接复制使用。
3.禁止自动跳转/admin目录
Directus官方提供了禁止自动跳转到/admin的配置项,方法是打开.env文件,并将ROOT_REDIRECT设置为false即可。
4.关于静态资源的引用路径
如果我们需要富文本编辑器上传文件,那么默认的地址同样会暴露后台路径,所以我们需要注意在前端框架中做替换replace的处理。