Deny access to site in development, locally and remote

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Deny access to site in development, locally and remote

Post by matthijs »

After developing a site locally, the next stage is putting it on the real server but only allowing access to myself or a limited number of people. Using htaccess seems like a convenient thing to do that

However, what is the correct way to do that if I want to use the same htaccess file locally as well as on the remote server.The reason I'd like to use the same file is to be able to update all files/synchronize all files without having to think about which file to update and which not

Something like this?

Code: Select all

 
# deny all except those indicated here
<Limit GET POST PUT>
 order deny,allow
 deny from all
 allow from 127.0.0.1
 allow from localhost
 allow from 12.345.678.987
</Limit>
In which I put my real IP on the place of 12.345.678.987
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: Deny access to site in development, locally and remote

Post by Maugrim_The_Reaper »

Have you ruled out http digest authentication on the public server? Easy to configure, manage and remove for a small group of people. If it's really sensitive stuff, then limit by IP (just watch out for anyone without a static IP from their ISP). Kind of depends who the people are - internal folk or other parties.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Deny access to site in development, locally and remote

Post by matthijs »

Maugrim_The_Reaper wrote:Have you ruled out http digest authentication on the public server? Easy to configure, manage and remove for a small group of people. If it's really sensitive stuff, then limit by IP (just watch out for anyone without a static IP from their ISP). Kind of depends who the people are - internal folk or other parties.
Never heard of digest authentication, will have to look it up.

Mostly I will use this only to give access to myself. Maybe in some cases also a client (one or a few people)
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: Deny access to site in development, locally and remote

Post by Maugrim_The_Reaper »

It's like HTTP Authentication: Basic Access - only the passwords are sent hashed. I should have used the full proper name (see mod_auth_digest for Apache). Easy to setup and configure within a Location or VirtualHost section of Apache's conf without storing the passwords within the app directory tree.
Post Reply