How to restrict access to a staging environment

Question

Our workflow currently has developers working on locally hosted copies of our web application with SVN for source control. We have post-commit hooks that deploy each new revision to a designated staging environment running on a subdomain.

My question is, what is the best way to restrict access to these staging sites so that they can't be stumbled across or god forbid indexed by search engines?

We'd really like to avoid anything IP based, as we have remote developers working unavoidably from dynamic IPs.

I have some initial ideas such as a simple form that you can hit with login credentials to either a) give you an access cookie that's checked for when running in the staging environment, or b) register your current IP address as allowed for a determinate length of time.

If anyone can share ideas, previous experience or best practice it would be very much appreciated

Answer 1

If you're using Apache a simple and very basic protection should be an .htaccess File. If this doesn't satisfy your needs for security, you should think about implementing your own security mechanism.

The best solution is to put your staging server in a closed network and only allow access via a secure VPN.

Answer 2

You could wrap your web application with an apache (lighttpd, etc.) webserver and use the .htaccess file to restrict access to named users that have to login with password.

Answer 3

You can make that Page accessible only on your Company network and use LDAP or something similar to allow people access.

That sub domain can be made accessible over a VPN. OpenVPN is an option you can look into.

Answer 4

For Heroku and Ruby devs: See this answer for securing staging environment: Password protecting a rails staging environment