How to stop non registered sub domains from redirecting to admin interface?

,

Hi
If a non registered sub domain is entered (eg. xyz.domain.tld or random.domain.tld) the page is redirected to admin panel by showing the certificated error. I want to stop this as the user could accidentally enter a wrong sub domain which is not registered and a certificate error would be shown and accepting it would take him to admin panel which is not desired.

How can I remove the admin panel and put a page saying something like this " You have come to wrong place." ?

1 Like

this would be nice

I have already opened an issue for it.
https://dev.yunohost.org/issues/981

Je plussoie.

Sinon, j’ai cru comprendre quelque part, qu’il était possible de décaler l’interface d’administration dans un sous domaine particulier ? Est-ce exact ?

You need to change nginx conf files. Something like

location / {
return 302 https://$http_host/yunohost/admin;
}

to

location / {
    return 302 https://$http_host/;

}

in /etc/nginx/conf.d/yunohost_admin.conf file, which seems to be used when you go on a subdomain not available on your yunohost instance.

You’ll have a warning in your browser (which search an available TLS certificate for the nonexisting domain), and nothing is showed.

It’s a way, it needs some improvment (to redirect to the page you want.

5 Likes

Thanks for the tip. I will try it soon.

My 2 cents about this : due to the redirection to the admin interface, it is very easy to find a bunch of Yunohost servers, of one hack is found, bad people, will be able to attack many of us.

Example : https://www.shodan.io/search?query=yunohost%2Fadmin

@Mamie
There is already solution provided by Genma. How to stop non registered sub domains from redirecting to admin interface?

It doesn’t work for you ?

I didn’t even tried (I’ll do this week).
The problem is that most people using YunoHost use it because they are not sysadmin and trust YunoHost about security, updates, compatibility.
So most people are absolutely not aware of this redirection, don’t care, and won’t do anything.

This should be fixed inside YunoHost (like disabled as soon as a 1st domain is set-up, to redirect to it, or adding a field in the admin to set the “default” redirection endpoint (can be “reject”) ?)

This should not be disabled by people who are not sysadmin as they will end up loosing the admin interface which is not desired for new users. Better solution is to keep long and difficult password (For strong password validator you can open new issue).

For people who are familiar with command-line and are sysadmins, you can disable the admin interface by these command.

yunohost service stop yunohost-api
yunohost service disable yunohost-api

This topic was to stop the redirection to admin interface from the sub domains which are not yet registered from admin panel. Not for disabling the admin interface.

I absolutely do not want to disable the admin interface, but to block the redirection to if from any subdomain or when accessing directly by IP (which are scanned continuousely by “security” services).
As soon as a domain is set-up, the admin interface is accessible via domain/yunohost/admin so no need to default redirection.

A long and difficult password is nice, but if an exploit is found in YunoHost, it is better for us if “all YunoHost instances” are not that easy to find.

SSO can also be scanned, will you disabled it too ? :smile:
There are also other ways to find that you are running YunoHost beside this.

There is no magic bullet that will make you completely secure.

I never understood why it have to be under yunohost/sso/ and can not be at the root of a domain.
The thing is that the sso is not accessible via IP but via domain, which is more secure (because most online scan (I think) go thru all IPv4 address