Thread

Hi All!! Wondering if it’s possible to change the control panel URL from http://domainname.com/admin.php to something else? Thinking about http://login.domainname.com/login.php or something different - possible?

If not, that’s OK - the main thing we’d like to do is secure the login with HTTPS. I’ve read that it’s doable but it’s unclear what in the backend we need to do to enable this (control panel only btw), and also, if it is recommended we use a plugin of some kind due to some issues people are experiencing like this: http://devot-ee.com/add-ons/https-support. Any advise is greatly appreciated.

EllisLab documents changing the name of admin.php. Have you read the post-install process?
http://ellislab.com/expressionengine/user-guide/installation/best_practices.html

Thanks, this is useful…so basically we can change the name of admin.php. But wondering if we can change the URL altogether: login.domainname.com. Also, what about securing passwords? Is the only way to properly encrypt them on login and the control panel via https using a cert? Has anyone done this and if so, what recommendations do you have - thank you!

We are also investigating how to better secure the EE Control Panel, so I would welcome additional comments from the community on this topic. Changing the name of ../admin.php is easy enough, but as any web security expert will tell you, that’s an attempt at “security by obscurity.” Simply hiding ../admin.php also doesn’t protect the data being passed in transit between the browser and your web server—including your password and/or password hash!

We have attempted to enable HTTPS/SSL for the Control Panel by tweaking the Apache’s configuration in httpd.conf and ssl.conf, but EE doesn’t seem to like this. See the before and after screen shots. Essentially, the interface for Control Panel is broken once HTTPS/SSL is enabled. We are continuing to investigate, but I have to think that others have encountered this problem before we did. (I mean, you all aren’t really passing your EE Super Admin password and Control Panel traffic over the Internet in clear-text are you?)

If someone knows a rather easy fix for this, let us know. Otherwise we will continue out research.

Regards.

Ok - for those interested, we found a solution that may work for the rest of you as well. See the steps below, which were done on a CentOS 6.5 server running Apache 2.4.x. If your Linux distribution is different, you may need some tweaks. Welcome feedback.

Steps to Securing the EE Control Panel with HTTPS/SSL

Step 1 - Obtain and install an SSL certificate

If you don’t already have an SSL certificate from a Trusted Certificate Authority, you need to get one. If you prefer to use a self-signed certificate, you can create one on your host using the instructions found here: http://wiki.centos.org/HowTos/Https, which conveniently includes installations instructions as well. Again, adjust accordingly for your Linux distro.

Step 2 - Modify Apache to enable HTTP to HTTPS redirects

These instructions will essentially “force” visitors browsing to your ../admin.php page to use HTTPS/SSL. While you are working in the Control Panel, all your subsequent traffic will be protected as well. Note that if you have renamed your ../admin.php page, adjust the code below to reflect that:

#vim /etc/httpd/conf/httpd.conf

Add the following lines:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule /(admin.php) https://%{HTTP_HOST}%{REQUEST_URI} [R]

Save the changes and exit vim. Restart the web server:

#service restart httpd

Step 3 - Configure the EE Control Panel to work properly with HTTPS

In our humble opinion, these steps should be completed with a checkbox somewhere in the EE server administration interface, but for now manual intervention is needed. (That was a hint for EE developers.) These steps are also documented in another thread here: http://ellislab.com/forums/viewthread/232869/.

#vim /var/www/system/expressionengine/config/config.php

Edit the cp_url parameter so that is uses HTTPS:

$config['cp_url'] = 'https://site.com/admin.php';

Edit the theme_folder_url so that it only specifies the correct subfolder. Often times theme_folder_url is hard coded to something like ‘http://site.com/themes/’ which will interfere with your ability to run the Control Panel completely under HTTPS/SSL:

$config['theme_folder_url'] = '/themes/';

Save the changes and exit vim. You should now be able to enter the URL for your ../admin.php page and have it redirected to HTTPS/SSL.

Cheers.

Space Needle…thanks for this…we tried it on our end and it worked perfectly.:cheese: