Should admin be a subdomain or a namespace?

Question

When would you use a subdomain over a namespace? i.e. http://admin.foo.com VS http://foo.com/admin

Alternatively, I also like how api.foo.com looks VS foo.com/api. I also find, subdomains a bit tricky to set up.

Answer 1

Mounting another app inside a folder or a subdomain is no big deal with Web-Servers, but if your Rails app contains both the /admin and normal applications it gets trickier to serve one as a subdomain.

Thankfully the Rails router is very flexible in this regard and supports both scenarios rather well.

TLDR: Rails supports both ways through the routing engine and at this point it comes down to personal preference (although I suspect the subdomain option will not play too nicely with path helpers)

/admin Routes

To achieve the /admin routes, Rails supports the notion of namespaces in routing. So having a /admin area in the Rails app you just write this in your routes.rb like this:

namespace :admin do
  resources :users
  resources :posts
end

You then put the controllers for the /admin area in controllers/admin/.rb and the class has to be prefixed with Admin (like Admin::PostsController).

Since most application's Admin area will most likely interact with the Models from the normal application it's probably safe to say doing namespacing is the most convenient way.

Subdomain Routes

But namespacing can also be used with subdomains as it turns out:

The Rails router can define constraint blocks and define the namespace inside these blocks. So if you want to host the namespace from above only in the admin.example.com subdomain you can do this:

constraints(:subdomain => /admin/) do
  namespace :admin do
    resources :users
    resources :posts
  end
end

(I didn't know about the contraints feature but this blog post seems to explain it quite well)

This obviously requires you to configure the web server in a way that it serves admin.example.com and www.example.com to the same Rails application.

I am not sure if session (achieved through cookies) is carried over but I guess you can figure this out.

Answer 2

I think the other answer addressed the practicality issue, but purely from a security perspective:

Putting admin in a subdomain is recommended in the Rails Security Guide because it is more insulated from an XSS attack:

Put the admin interface to a special sub-domain such as admin.application.com and make it a separate application with its own user management. This makes stealing an admin cookie from the usual domain, www.application.com, impossible. This is because of the same origin policy in your browser: An injected (XSS) script on www.application.com may not read the cookie for admin.application.com and vice-versa.

So from a security perspective, putting admin in a subdomain may be safer.