tags:

views:

44

answers:

3
Q: 

How to restrict access to a staging environment

Our workflow currently has developers working on locally hosted copies of our web application with SVN for source control. We have post-commit hooks that deploy each new revision to a designated staging environment running on a subdomain.

My question is, what is the best way to restrict access to these staging sites so that they can't be stumbled across or god forbid indexed by search engines?

We'd really like to avoid anything IP based, as we have remote developers working unavoidably from dynamic IPs.

I have some initial ideas such as a simple form that you can hit with login credentials to either a) give you an access cookie that's checked for when running in the staging environment, or b) register your current IP address as allowed for a determinate length of time.

If anyone can share ideas, previous experience or best practice it would be very much appreciated

+6  A: 

If you're using Apache a simple and very basic protection should be an .htaccess File. If this doesn't satisfy your needs for security, you should think about implementing your own security mechanism.

The best solution is to put your staging server in a closed network and only allow access via a secure VPN.

Henrik P. Hessel  2010-09-29 17:24:51
The .htaccess approach would be ideal, yes. The root .htaccess file is under version control however. I wonder is there a way to make this hostname specific so it only applies when running in 'staging mode'
WibblePoop  2010-09-29 17:36:20
@WibblePoop: if you modified the .htaccess file locally on your staging server, the new versions checked out from SVN should leave that file modified. You'd only have to deal with it manually if there was a conflict.
rmeador  2010-09-29 17:40:47
@rmeador: Thanks for the explanation, I wasn't sure if this would be the case and hadn't tried it in any case. The issue is that the .htaccess file also contains rewrite rules which we'd need to carry forward on commits, hence I don't think this would work.
WibblePoop  2010-09-29 17:45:25
A: 

You can make that Page accessible only on your Company network and use LDAP or something similar to allow people access.

That sub domain can be made accessible over a VPN. OpenVPN is an option you can look into.

sheki  2010-09-29 17:25:39
+2  A: 

You could wrap your web application with an apache (lighttpd, etc.) webserver and use the .htaccess file to restrict access to named users that have to login with password.

tangens  2010-09-29 17:25:41

related questions

Best strategy to write hooks for subversion in Windows
Database Version Control
Version control PHP Web Project
Experience with SVN vs. Team Foundation Server?
Best SVN Client Ignore Pattern for VB.NET Solutions?
SVN merge merged extra stuff
What is your favorite web app deployment workflow with SVN?
Integrating Fogbugz with TortoiseSVN with no URL/Subversion backend
Version Control. Getting started...
ASP.NET Display SVN Revision Number
How do I create a branch in SVN?
What do the result codes in svn mean?
Could you recommend a good free project hosting website?
Federated (Synced) Subversion servers?
Mechanisms for tracking DB schema changes
What are the advantages of using SVN over CVS?
Use SVN Revision to label build in CCNET
Best subversion client for Mac OS
Why is Git better than Subversion?
ASP.NET, Visual Studio and Subversion - how to integrate?
Best Practice: Collaborative Environment, Bin Directory, SVN
How do I sync the SVN revision number with my ASP.NET web site?
Best Subversion clients for Windows Vista (64bit)
Good branch/merge tutorials for Tortoise SVN?
How can you get Subclipse in Aptana to work with the newest release of Subversion?