Is there a good way to secure access to an entire staging server?
I have a staging server and production server that hosts multiple sites (using Apache2.2). Currently, I have the DNS pointing stage.domainX.com
to the staging server and *.domainX.com
pointing to the production server.
Everything seems to be working pretty good, but I would like to be able to secure the access to the staging server. So, unless it is the right person, someone trying to enter stage.domainX.com
should be disallowed (and, if possible, go to the production server).
And, I wanted to use a domain name instead of an IP because I want the clients to be able to more friendly view the staging site (instead of memorizing an IP address).
Is there a good way to handle this? Or, am I handling the staging domain name process in an unusual way?
P.S. I've actually wanted to manage this through ports, but I haven't figured out a way to do it. Like, domainX.com:80 (standard) goes to production and domainX.com:9000 goes to staging. Haven't found a way to do this in DNS though (using GoDaddy's nameservers/zones).
Using Apache you can simply set up your staging server's Allow
and Deny
directives to restrict access to authorized IP addresses. Alternatively you can put the entire thing behind HTTP Authentication (username/password, or client certificates if you want to get really fancy).
Bonus points for using a custom "unauthorized" error page to redirect people to the production site .
Configuring Apache to serve the staging site on a different port is also an option, but this is just "security through obscurity" like using the stage.domainX.com
domain -- it doesn't stop anyone from finding the staging site if they go looking.
<rant>
Note that changing the port IS NOT something you do with DNS - it's a webserver configuration thing (See the Apache manual for details). DNS has NO CONCEPT of port numbers, it's just a name-to-IP (or IP-to-name) mapping* -- pet peeve.
* There are some limited exceptions, like SRV records, but we're talking about Address and CNAME records
</rant>
I've used an Apache setup like the following successfully in the past; it allows certain listed IP-addresses to freely access the staging site without supplying Basic-Authentication credentials (e.g. you could add the IP-addresses of your-office and your-client's-office), but still allows for password-based access if the client is out-of-office, for example.
# Set NOAUTH environment-variable for certain IPs that are allowed without credentials
SetEnvIf Remote_Addr 11.22.33.44 NOAUTH=1
# Staging
<VirtualHost *:80>
ServerName stage.domainX.com
DocumentRoot /var/www/stage.domainX.com
# Access restrictions
<Location />
Order allow,deny
# Anyone with the NOAUTH environment variable is allowed
Allow from env=NOAUTH
# Anyone that has valid credentials is allowed
AuthType Basic
AuthName "DomainX Staging"
AuthUserFile /etc/apache2/staging.domainX.com.passwd
Require valid-user
# Either of the above is fine
Satisfy Any
</Location>
# ... other directives ...
</VirtualHost>
# Production
<VirtualHost *:80>
ServerName domainX.com
DocumentRoot /var/www/domainX.com
# ... other directives ...
</VirtualHost>