Hi
If a non registered sub domain is entered (eg. xyz.domain.tld or random.domain.tld) the page is redirected to admin panel by showing the certificated error. I want to stop this as the user could accidentally enter a wrong sub domain which is not registered and a certificate error would be shown and accepting it would take him to admin panel which is not desired.
How can I remove the admin panel and put a page saying something like this " You have come to wrong place." ?
My 2 cents about this : due to the redirection to the admin interface, it is very easy to find a bunch of Yunohost servers, of one hack is found, bad people, will be able to attack many of us.
I didn’t even tried (I’ll do this week).
The problem is that most people using YunoHost use it because they are not sysadmin and trust YunoHost about security, updates, compatibility.
So most people are absolutely not aware of this redirection, don’t care, and won’t do anything.
This should be fixed inside YunoHost (like disabled as soon as a 1st domain is set-up, to redirect to it, or adding a field in the admin to set the “default” redirection endpoint (can be “reject”) ?)
This should not be disabled by people who are not sysadmin as they will end up loosing the admin interface which is not desired for new users. Better solution is to keep long and difficult password (For strong password validator you can open new issue).
For people who are familiar with command-line and are sysadmins, you can disable the admin interface by these command.
yunohost service stop yunohost-api
yunohost service disable yunohost-api
This topic was to stop the redirection to admin interface from the sub domains which are not yet registered from admin panel. Not for disabling the admin interface.
I absolutely do not want to disable the admin interface, but to block the redirection to if from any subdomain or when accessing directly by IP (which are scanned continuousely by “security” services).
As soon as a domain is set-up, the admin interface is accessible via domain/yunohost/admin so no need to default redirection.
A long and difficult password is nice, but if an exploit is found in YunoHost, it is better for us if “all YunoHost instances” are not that easy to find.
I never understood why it have to be under yunohost/sso/ and can not be at the root of a domain.
The thing is that the sso is not accessible via IP but via domain, which is more secure (because most online scan (I think) go thru all IPv4 address