Securing the Admin page

Ruby Apps Radiant CMS
1

Now that I have my Radiant powered site up and running (thank you very
much!) I am getting a bit anxious about the /admin page being exposed to
the
world. Not that I’m a big target or anything, but I really don’t want
to
have to depend on my password skills to make sure my site stays the way
it
is. What I would like to do is two fold.

First I want to for the /admin page to be SSL only. What’s the best way
to
go about this? I am going to have a self signed certificate for now as
it’s
only me doing the editing, but I would like to keep the editing sessions
private. At the very least I have to secure the initial logon page,
even if
I don’t secure the entire /admin/… route.

Second I would like to change the admin route from /admin to something
else,
maybe /edit, or /blahblah. What’s the best|easiest way to do this? I
know
security by obscurity is no security at all, but I would like to at
least
give the script kiddies something to chew on. :slight_smile:

Thanx!
Richard

P.S. I apologize if this is in the Wiki - I searched but couldn’t find
anything on it. I’ll update the Wiki if I get it working. How’s that?
:slight_smile:

2

Richard,

I would use your webserver’s capabilities to restrict requests to that
path to be over SSL. I believe this is fairly easy to do with Apache,
and I have a vague idea of how to do it with nginx. Unfortunately, I
don’t do it that often and so I can’t provide you any snippets.

Sean

3

Ok, but what about changing the /admin route to something else? Like I
said, it’s not much but it might keep the script kiddies away.

Thanx!
Richard

4

For hidding the /admin “route” in the webserver you have to make the web
server rewrite the incoming URL:

The idea is to do two rewrites (from “external” URLs to “internal”
URLs):

  • from “/admin” to “/this-does-not-exist”
  • from “/my-new-admin” to “/admin”

And you are done! ™

/AITOR