Securing online Dev Environment

scud

scud

Expert Member
Joined
Sep 1, 2005
Messages
1,169
Reaction score
277
Location
Cape Town, SA
I'm looking for a neat way to protect my development / staging servers from public access.
I work remotely, so they need to be online, as do my team
In a nutshell I want to lock down access to http / https "public" traffic. so that public can't hit the application login screens etc.

We use mostly linux - Apache / Nginx and MySQL

have tried .htaccess / .passwd but it won't work, as this causes conflicts
we could firewall whitelist our remote ip address's but it's a pain because these keep changing
have tried using obfuscation with different ports but thats not ideal

Was thinking about setting up a vpn server, and configuring to allow access through to the dev servers in the local network.
Just not sure if this is achievable.
All the servers are VM's and can be linked locally.

Anyone here know of a simple solution/approach, and one that is "open source"

many thanks
 
If you are also using Nix based client machines (Linux/Macs) you can setup ssh tunnels with a one liner which will forward remote ports to your localhost...
 
stricken said:
If you are also using Nix based client machines (Linux/Macs) you can setup ssh tunnels with a one liner which will forward remote ports to your localhost...
Click to expand...
thanks stricken, that could work but some guys are on windows,
I tried something similar way while ago

ssh -D xxxx user@ipaddress -p22. , then configuring a browser to proxy 127.0.0.1 : xxxx

But now I'm thinking VPN may be best, just never set one up before.
damn, there goes the weekend :)
 
scud said:
thanks stricken, that could work but some guys are on windows,
I tried something similar way while ago

ssh -D xxxx user@ipaddress -p22. , then configuring a browser to proxy 127.0.0.1 : xxxx

But now I'm thinking VPN may be best, just never set one up before.
damn, there goes the weekend :)
Click to expand...

Windows and RDP works very well over SSH tunneling,and you can add the tunnel to something like Remote Desktop Manager to chain the login,even making IT double auth with SSH key+passwords

You can use these SSH machines as central jumpboxes keeping maintenance low
 
To give a better example.
Say I have a copy of a client site running Wordpress on linux, for development purposes only.
It contains sensitive data, so I don't want the client to ever find this "copy" is publicly available
Even though it is secure with a frontend login etc, it is still identifiable as the clients site, and exposed to the world.

But various developers still need access to the sites frontend as well as MySQL on 3306, as well as ssh for scripts / sftp etc. And they also have different OS's , win / linux / osx

So my thinking is all the dev servers could sit on various servers only accessible through a single VPN / Firewall
So only when you access via vpn, can you then access the other VM's

I'm going to have to just try it out with OpenVPN / IPtables, and overcome my extreme networking dyslexia / paranoia
 
What exact issues do you have with htaccess/htpassword?

I don’t see how this causes an issue, especially on nginx where you just make the base server config use htpassword.

We have been doing this for years as a simple way to solve this issue
 
_kabal_ said:
What exact issues do you have with htaccess/htpassword?
Click to expand...

When I configure htpasswd I get issues with web services, so mobile apps won’t login & sso complains.
The main issue seems to be with web services though as we rely on these internally.
So generally lots of unintended consequences and errors
 
Ok. I think you will need to approach each of the requirements in isolation.

For the Wordpress sites, definitely htpassword/basic auth.

For MySQL, DO NOT bind to 0.0.0.0. This should only be 127.0.0.1. Assuming these are self hosted on servers that have ssh access, and ssh is restricted to private/public keys, you can still access these MySQL instance using a client on the developers machine over SSH.

On the webservices, thinking about this more, basic auth should still work fine.

At the end of the day, defining an endpoint in the 2 following ways is identical.
vs

Something/someone connecting to these services needs to know a secret. Whether that secret is an ssh key, vpn credentials, or username/password does not really make much of a difference at a basic level
 
shanezn186 said:
Is it running in a Docker container(s)? If so, look up Traefik reverse proxy.
Click to expand...

Traefik doesn’t really solve anything here, it just exposes everything on that traefik network on the same port, and makes it simple to add basic auth to each service.

But I agree that everyone using docker should use traefik :) even works great as Ingress on K8S
 
What about just not pointing a public DNS record at the server? Instead, hard code the domain name into your local router or hosts file.
 
CHR (Public and Private IP (subnet)) -> PPTP tunnel -> Access to Private subnet (Where your VMs live)
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X