views:

201

answers:

1

I'm trying to work out what the best way to secure my staging environment would be. Currently I'm running both staging and production on the same server.

The two options I can think of would be to:

Use rails digest authentication

I could put something like this in the application_controller.rb

# Password protection for staging environment
if RAILS_ENV == 'staging'
  before_filter :authenticate_for_staging
end

def authenticate_for_staging
  success = authenticate_or_request_with_http_digest("Staging") do |username|
    if username == "staging"
      "staging_password"
    end
  end
  unless success
    request_http_digest_authentication("Admin", "Authentication failed")
  end
end

This was ripped from Ryan Daigle's blog. I'm running on the latest Rails 2.3 so I should be free from the security problem they had with this.

Use web server authentication

I could also achieve this using .htaccess or apache permissions, however it makes my server provisioning slightly more complex (I'm using Chef, and would require different apache configs for staging/production).


For now I have the first one implemented and working, do you see ay problems with it? Have I missed something obvious? Thanks in advance!

+1  A: 

I would go with the http basic authentication, I see no inherent problems with it.

Ryan Bigg
This is what I ended up doing. It has worked a treat for the last 3 months.
jonnii