Hello,

We are a small shop (1 1/2 developers) running our organizations sites. The sites are mostly content, but are beginning to have small database apps. When I arrived, there was no formal development or staging environment, so I'm trying to get that set up.

We have no servers on site...we have dedicated virtual through Media Temple as our host. My thought was to just use a separate domain for development.

My question is: Right now, another domain would be open for anyone to look at if they found it. Because we'll be using it to develop applications, we clearly don't want people able to get there before we've written fully well-thought-out and secure code. Is there a way to stop other people from accessing the server while still letting me access it?

Also, what are people's thoughts on best practices for dev servers? (I've worked in an extremely large organization before where we had development, test, beta, and production. But that's beyond the needs we have right now.)

Thanks!

I did not know you could have One and One-Half developers.

If you want a development environment look into XAMPP, It's a server emulator (type thing) that lets you run PHP scripts, MySQL stuff and loads of other things on your localhost.

For dev servers, put them at the top security setting (so your scripts have to do lots of checks ETC) and keep them off the internet unless it's really needed (Someone could see whats you doing and copy).

OK, one thing I should add--we don't have admin rights to our computers (LOL) because our over-arching department is extremely paranoid and we are not allowed to have WAMP or any server software on our computers.

This sucks, but it's because we're not part of their main IT group, which develops in Java, and has their own servers. We're kind of the neglected stepchild, and we are thus hosting externally.

So me having WAMP or XAMPP is not possible. Crazy, but that's the way it is.

So any other ideas would be very helpful.

Actually, if someone would like to give me a well-explained reason why it's really ok to have WAMP or XAMPP on my computer (how i can ensure that it is secure and not going to open up their network to a breach), maybe I can argue my case.

The head of IT said...that's server software and we can't have it on any desktop machines (their developers use the Eclipse IDE to develop their java apps).

This is just not my strong point...I've never had to be so do-it-yourself with infrastructure issues...we always had good IT infrastructure at other jobs.

Basic argument: if you have a server set up on your desktop there and someone from the outside world can access it, that means you have no firewall protecting your internal network.

That is to say, an open HTTP server is the ABSOLUTE LEAST of your worries!

No-one should be able to access your internal/desktop server from outside unless your network admins have an IQ of around 60.

OK, I'll try that approach. Now pardon my ignorance please, but if anyone has any suggestions on how to secure an external server (we have an offsite developer as well, so it will be good to have a place where we can test out our combined code before pushing it to production).

I don't know about anyone else, but if it were me, I would only ever use an external development server as my final test before pushing something live.

Depending on the quality of your network admins, there is nothing stopping them from setting up a VPN so your external developer could make a (secure) connection to your internal network and work on the exact same internal server that you do.

I agree that that makes the most sense. However, I'm not going to get support from the network admins here. Trust me, it's a strange situation of departmental politics. And within that context, I gotta get a website up, and need a place to test it out first (as well as show it to co-workers occasionally).

So, assuming I need to use an external server, can anyone help me figure out a decent secure way to do this? We're not talking super-critical applications here, but still don't want our site hacked and database compromised, etc.

The second best thing i can recommend is *I guess* is buying some cheap hosting (a few 100MB should do) and working with that.

I'm on a developer server right now, they cost a bit (not many people use them) but you get a lot for your money (Think of it like bulk buying)...I hate to make a sales pitch, but if you want some on the cheap, give me a bell

Right, I have hosting...the question is how to make the domain not publicly available, but still let me and a few other folks view it.

It's Apache...I used to work in a windows environment and there was a windows security solution.

Oh, Httaccess would do you fine. In other words, password protect the directory

What I like to do is something like:

mydomains.com/projects/project_name/gamma
mydomains.com/projects/project_name/beta
mydomains.com/projects/project_name/alpha

this way, all you gotta do is password protect 'projects'.

Also, an above post said that http servers on your local is a big dodgy. I've currently got a 2 firewall setup:
1 - redirects to another page...or redirects to me
2 - makes you answer some questions if my server is on, or denies access. I best also point out. It's only allowed access to one folder.

That's great! That's the info I was looking for. I'm searching on .htaccess and password protection and finding what i need.

Thanks so much!

**** i been reading and he got there first

Also i would say set up a sub domain like dev.domain.com and if you have cPanel with your host you can easily do the htaccess password through the panel nice and easy.

well, actually, that would be good to do it through the control panel. I have plesk, but haven't seen anywhere on there to password protect directories. Do you know where it is in plesk?

All the password protection i've come across there is for setting up users to access plesk itself.

actually, i think i just found it. Thanks for the tip!!

Glad i could help, Btw if you would like cPanel talk to me