How to build an efficient and flexible security layer for a private project host [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

Closed 8 years ago.

• This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
• This question does not appear to be about programming within the scope defined in the help center.

Improve this question

I have a dedicated server running Linux. The operating system runs the following -let's call them- components:

• PostgreSQL

  • Access rule: Only staff (and local access of course)
• Apache
  • Sites
    • Public site: Every one
    • Private site: Only staff

The staff reaches these components via WAN, and I'd like to know which is the best, easiest, and most flexible way to apply these Access rules (also centralized so I don't have to configure every component). Of course the server will run much more stuff, but I think I'll manage when I'll have a solution for the above.

I thought about some ways though:

• VPN: Which won't work as I have a public thing that has to be available to the world, and it seems a bit complicated to me either... I don't know

• LDAP auth: This seem to be the best, but I only the definition of LDAP

What are your guesses guys?

Would you开发者_JAVA技巧 recommend any good readme to me?

---

VPN is your best solution. It is widely used in exactly the same scenario - Postgre and the private site are on 192.168.x.x addresses (you can configure this using virtual interfaces, e.g. eth0:0 and then tell them to listen only on this interface), the public site is on a real public IP address. When the staff connects via VPN, they also get a 192.168 IP address and have authenticated and encrypted access to all internal components - otherwise, only the public site can be accessed. If you can afford additional resources, the best solution is a de-militarized zone (http://en.wikipedia.org/wiki/DMZ_%28computing%29). There are other solutions, but none that work with Windows clients out-of-the-box.