I have a dedicated server running Linux.
The operating system runs the following -let’s call them- components:
-
PostgreSQL
- Access rule: Only staff (and local access of course)
- Apache
- Sites
- Public site: Every one
- Private site: Only staff
- Sites
The staff reaches these components via WAN, and I’d like to know which is the best, easiest, and most flexible way to apply these Access rules (also centralized so I don’t have to configure every component).
Of course the server will run much more stuff, but I think I’ll manage when I’ll have a solution for the above.
I thought about some ways though:
-
VPN: Which won’t work as I have a public thing that has to be available to the world, and it seems a bit complicated to me either… I don’t know
-
LDAP auth: This seem to be the best, but I only the definition of LDAP
What are your guesses guys?
Would you recommend any good readme to me?
VPN is your best solution. It is widely used in exactly the same scenario – Postgre and the private site are on 192.168.x.x addresses (you can configure this using virtual interfaces, e.g. eth0:0 and then tell them to listen only on this interface), the public site is on a real public IP address. When the staff connects via VPN, they also get a 192.168 IP address and have authenticated and encrypted access to all internal components – otherwise, only the public site can be accessed. If you can afford additional resources, the best solution is a de-militarized zone (http://en.wikipedia.org/wiki/DMZ_%28computing%29). There are other solutions, but none that work with Windows clients out-of-the-box.