Reputation: 13756
What is the best way to restrict access to a development website?
I have a site i am working on that i would like to display only to a few others for now. Is there anything wrong with setting up windows user names and using windows auth to prompt the user before getting into the development site?
Upvotes: 7
Views: 3408
Answers (6)
Reputation: 37378
Why don't you just set up an NTFS user and assign it to the website (and remove anonymous access)
Upvotes: -1
Reputation: 1630
If you aren't married to IIS, and you need developers to be able to change the content, I would consider Apache + SSL + WebDav (aka Web Folders). This will allow you to offer a secure sandbox where developers can change and view the content without having user accounts on the server.
This setup requires some knowledge of Apache so it only makes sense if you are already using Apache or if you frequently need to provide outsiders access to your web server.
First useful link I found on the topic: http://pascal.thivent.name/2007/08/howto-setup-apache-224-webdav-under.html
Upvotes: 1
Reputation: 75991
Of course, there's nothing wrong with Windows auth. There are couple of (not too big) drawbacks, though:
- your website auth scheme is different from the final product.
- you are giving them more access to the box they really need.
- you automatically reimaging the machine and redeploying the website is more complex, as you have to automate the windows account creation.
I would suggest two alternatives:
- to do whatever auth you plan on doing in the final website and make sure all pager require auth
- do a token cookie based auth - send them a link that sets a particular token in a cookie and in your website code add quick check for that token before you even go to the regular user auth
Upvotes: 1
Reputation: 25271
There are several ways, with varying degrees of security:
- Don't put it on the internet - put it on a private network, and use a VPN to access it
- Restrict access with HTTP authentication (as you suggest). The downside to this is it can interfere with the actual site, if you are using HTTP auth, or some other type of authentication as part of the application.
- Restrict access based on remote IP. Just allow the IPs of users you want to be able to access it.
- Use a custom hostname. Have it on a public IP, but don't publish the hostname. This means make an entry in your HOSTS file (or configure your own DNS server, if possible) so that "blah.mysite.com" goes to the site, but that is not available on the internet. Obviously you'd only make the site accessible when using that hostname (and not the IP).
Upvotes: 7
Reputation: 56113
That depends on what you mean by "best": for example, do you mean "easiest" or "most secure"?
The best way might be to have it on a private network, which you attach to via VPN.
Upvotes: 2
Reputation: 1032
I do this frequently. I use Hamachi to allow them to access my dev box so they can see whats going on. they have access to it when they want , and/or when I allow. When they are done I evict them from my Hamachi network and change the password.
Hamachi is a software VPN. Heres a link to Hamachi - AKA LogMeIn
They have a free version which works quite well.
Upvotes: 1
Related Questions
- Controlling access to a website with IIS/Active Directory
- What is the best way to prevent visitors from accessing website in development?
- Web development with IIS security
- Restrict the access to part of ASP.Net web app (Only the computers from the same domain are allowed)
- How to secure a demo website?
- Restrict web page to only run in dev environment
- Restricting a public-facing demo site for an asp.net application?
- How to prevent code/program access to web application?
- Protect ASP.NET website with NT username/password dialog
- How to restrict access to ASP.NET's Website Admin Tool?