Directus后台安全配置:更改admin目录

后端开发Directus 106

Directus后台安全配置:更改admin目录

特别不理解,Directus的后台默认地址是admin且无法更改,默认情况打开根目录即可跳转到后台地址/admin,如果没有公共资源如API、图片、文件等我们只需要绑定一个私密的域名即可。

但凡是有任意一条请求在前端就可以轻松暴露管理后台地址,以引用directus系统内上传的一个图片为例“https://directus.yourdomain.com/assets/xxx.jpg”,我们只需要打开http://www.directus.yourdomain.com这个地址即可跳转到管理页,这是相当危险的。

在github官方社区里面很早就有人提出过这个需求:

  • Configurable path to App #2988
  • Allow to customize /admin path #17667

但最终都以投票数不足为由被官方放弃:

It has been over 90 days, and this discussion has not received at least 15 votes from the community. This means that we don't feel like there's enough community interest to warrant further R&D into this topic at this time.

最终方案

最终在这里我找到了用nginx代理来解决这个问题,思路是使用nginx配置两套域名分别独立代理指向同一个directus项目:

  1. 私有 – https://admin.yourdomain.com – 用于管理员使用
  2. 公共 – https://api.example.com – 用于公开的内容,/admin路径需要被禁止访问

nginx公共代理区域中禁用/admin访问的方法:

    location /admin {
        error_page 404 @message;
    }

    location @message {
        default_type application/json;
        set $new_uri "";if ($request_uri ~ "^([^?]*)(\?.*)?$") {set $new_uri $1;}
        return 404 '{"errors":[{"message":"Route $new_uri doesn\'t exist.","extensions":{"code":"ROUTE_NOT_FOUND"}}]}';
    }

这时候我们访问公共部分就会得到这样的提示

{"errors":[{"message":"Route / doesn't exist.","extensions":{"code":"ROUTE_NOT_FOUND"}}]}

最终nginx的配置如下所示,以域名towait.com为例(请自行修改):

#@public/api.towait.com
server {

        server_name api.towait.com;

        location / {
            proxy_pass http://localhost:7055;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
        }


    location /admin {
        error_page 404 @message;
    }

    location @message {
        default_type application/json;
        set $new_uri "";if ($request_uri ~ "^([^?]*)(\?.*)?$") {set $new_uri $1;}
        return 404 '{"errors":[{"message":"Route $new_uri doesn\'t exist.","extensions":{"code":"ROUTE_NOT_FOUND"}}]}';
    }


}

#@private/api.towait.com
server {

        server_name admin-xxx.towait.com;

        location / {
            proxy_pass http://localhost:7055;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
        }

}

总结

为了你的directus更加安全,强烈推荐要做好以下:

1.开启https

强烈推荐使用certbot生成ssl证书为网站开启https,不知道怎么做的可以参考

在上面不管是用于暴露在前端公共资源,还是用于后端私有管理,我们都推荐启用https

sudo certbot --nginx -d api.towait.com -d xxx.towait.com

输出:

certbot --nginx -d admin-xxx.towait.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for admin-xxx.towait.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/admin-xxx.towait.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/admin-xxx.towait.com/privkey.pem
This certificate expires on 2023-09-20.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for admin-xxx.towait.com to /etc/nginx/sites-enabled/default
Congratulations! You have successfully enabled HTTPS on https://admin-xxx.towait.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

命令执行后会为nginx server{}中生成证书配置项

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/admin-xxx.towait.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/admin-xxx.towait.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

2.设置复杂的admin地址

为了避免社会工程学攻克,千万不要使用有意义的词汇组合,这严重违反密码学安全常识,这里强烈推荐使用网站:https://randomkeygen.com/来生成各种组合直接复制使用。

3.禁止自动跳转/admin目录

Directus官方提供了禁止自动跳转/admin的配置项,方法是打开.env文件,并将ROOT_REDIRECT设置为false即可。

4.关于静态资源的引用路径

如果我们需要富文本编辑器上传文件,那么默认的地址同样会暴露后台路径,所以我们需要注意在前端框架中做替换replace的处理。

Read Comments

  • Marvin8 months ago0

    `设置复杂的admin地址` 是指加在子域名上吗,比如 `admin-nydU0Ii8ksMwYo.towai.com`

    • kingleoric8 months ago0

      对,两个域名指向同一应用,然后在nginx中对外开放的公共域上做限制admin目录访问。
      还有一点,如果文件在服务端本地存储的话在调用数据时候注意replace一下目录。 比如"admin-abc.xxx.com"替换为"api.xxx.com"
      目前只有这个合适的方案了,我一直在使用。

      • Marvin8 months ago0

        可以加个微信吗,有问题想请教~ 我的:xpy0***

  • Julian8 months ago0

    已加,微信已打码

Post Comment