How would you secure access to the admin area for a web app?
Our Rails CMS serves pages publicly. I would like to make the backend (/admin) inaccessible using either the webserver(apache) or firewall(netfilter).
Could this be done using an SSL certificate? I would like to limit access to the backend to only those whose have the "key", similar to SSH access to a server.
Thanks in advance.
DON'T use the firewall, you'll just complicate your implementation. The "correct" approach is to use .htaccess or set up authorisation in Apache Directory configuration.
It sounds like you want SSLRequire
SSLVerifyClient none
<Directory /usr/local/apache/htdocs/secure/area>
SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile conf/ssl.crt/ca.crt
SSLCACertificatePath conf/ssl.crt
SSLOptions +FakeBasicAuth
SSLRequireSSL
AuthName "Snake Oil Authentication"
AuthType Basic
AuthUserFile /usr/local/apache/conf/httpd.passwd
require valid-user
</Directory>
Howto: http://eregie.premier-ministre.gouv.fr/manual/mod/mod_ssl/ssl_howto.html
You're absolutely right that an SSL cert is the way to go. And it's not really all that tricky to set up, though it's rarely done.
It's important to remember that this problem has two components. The first is, "how do I get the darn thing working at all," and, this being a security system, the second is, "how do I set it up so that I'm not likely to accidently do something that borks my security?"
The first thing I would suggest is to write a separate Rails application for the admin stuff, and run it with a different web server on a different port. (If you really want to avoid putting a port number in the URL for the admin site, use a proxy in front of both web servers that uses the Host: header to redirect requests to for foo.com to one server, and admin.foo.com to the other.) This separation will help ensure that you don't accidently give regular users access to admin functionality, and make the SSL setup easier.
For the admin server, set it up for SSL access only. Create a new signing cert, and allow only certificates signed by the signing cert to connect. (This is web-server dependent; if you really need details on how to do this, you probably want to post a new question giving the specifics of the server and configuration you're using.) You can set up a page (on the non-SSL site, or on a page accessable to non-authenticated users on the SSL site) that will have your admins' web browsers automatically generate and upload a certificate that you can sign which will give them access.
Keep copies of all the certs you sign so that when you need to revoke access, you can put that cert in the revocation list.