Best way to put sites on host but not publicly accessible

Question

I have started working on a new website, I would like to put it on the server such that some people could see it but not publicly available. I put it on the server and removed the DNS record on the server, and edit the .hosts file on machine which need access to this site. May I ask is this a good implementation and any compromise? Thanks!

Is there any compromise with this setup tho? – Terry Dec 08 '10 at 11:51 — Terry, Dec 08 '10 at 11:51

score 6 · Answer 1 · answered Dec 08 '10 at 11:27

6

Use HTTP (basic/db/digest) authentication (Apache: http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html, IIS: http://msdn.microsoft.com/en-us/library/aa292114%28VS.71%29.aspx, etc)

answered Dec 08 '10 at 11:27

hiemye

779
1
7
9

What exactly does it authenticate with? thanks! – Terry Dec 08 '10 at 11:43
With whatever you configure or program. – TomTom Dec 08 '10 at 12:14

score 3 · Answer 2 · edited Apr 13 '17 at 12:14

3

for apache : How do I password protect an Apache website?

edited Apr 13 '17 at 12:14

Community

1

answered Dec 08 '10 at 11:25

Iraklis

488
1
5
14

score 2 · Accepted Answer · answered Dec 08 '10 at 12:03

2

Your solution above would only sort of hide your server. The IP address would still be accessible to the world. It also wouldn't remain hidden for long, since automated port scans (such things are just background noise on the internet) will pick it up pretty quickly. In fact, I wouldn't be surprised if Google had it indexed within a week... To be clear: It should not be considered a meaningful security measure.

The password setup given above is your best route. You can also restrict access based on the IP address of the clients ( http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html ). This is only useful if you know that the authorized people will be coming from predictable locations; and should be used in tandem with passwords, rather than instead of them.

answered Dec 08 '10 at 12:03

SmallClanger

8,947
1
31
45

I have followed this http://cloudsites.rackspacecloud.com/index.php/How_can_I_password_protect_my_website%3F to create a .htaccess and .htpasswd, would I need a php login page? – Terry Dec 08 '10 at 12:50
No. The request for Basic Auth is something sent by the server to the browser. All browsers know how to handle that request and typically present a login box. Once a user logs in, they stay logged in for as long as the browser is open. (Once given, the browser will automatically send the username and password with every subsequent request and then 'forgets' them when you close it.) – SmallClanger Dec 08 '10 at 13:30

score 0 · Answer 4 · answered Dec 08 '10 at 14:36

Most of the options provided are correct but you could hide it in plain sight if you don't have anything sensitive.

Don't put a sitemap and don't link any other page to the landing page. This way no crawler would be able to crawl your site and unless the person accessing your site knew the exact URL, he wouldn't know how to get there.

When doing this don't name your landing page index.{html,php,py.pl}

Best way to put sites on host but not publicly accessible

4 Answers4