I'm trying to work out what the best way to secure my staging environment would be. Currently I'm running both staging and production on the same server.
The two options I can think of would be to:
Use rails digest authentication
I could put something like this in the application_controller.rb
# Password protection for staging environment
if RAILS_ENV == 'staging'
before_filter :authenticate_for_staging
end
def authenticate_for_staging
success = authenticate_or_request_with_http_digest("Staging") do |username|
if username == "staging"
"staging_password"
end
end
unless success
request_http_digest_authentication("Admin", "Authentication failed")
end
end
This was ripped from Ryan Daigle's blog. I'm running on the latest Rails 2.3 so I should be free from the security problem they had with this.
Use web server authentication
I could also achieve this using .htaccess or apache permissions, however it makes my server provisioning slightly more complex (I'm using Chef, and would require different apache configs for staging/production).
For now I have the first one implemented and working, do you see ay problems with it? Have I missed something obvious? Thanks in advance!
bumping this to help others, like myself as I read this before settling on an similar, but cleaner solution.
I wrote a short blog post about it.
I would go with the http basic authentication, I see no inherent problems with it.
If you are deploying with multi-staging environments and so you have production environment and staging environment, you only need to add these lines to config/environments/staging.rb
By doing so, you don't need to configure Apache.
I am using Ruby 2 with Rails 4 and it works like a charm!