保护 Rails 登台环境的密码
我正在尝试找出保护我的暂存环境的最佳方法是什么。目前我在同一台服务器上运行登台和生产。
我能想到的两个选项是:
使用rails摘要身份验证
我可以在 application_controller.rb 中放入类似的内容
# Password protection for staging environment
if RAILS_ENV == 'staging'
before_filter :authenticate_for_staging
end
def authenticate_for_staging
success = authenticate_or_request_with_http_digest("Staging") do |username|
if username == "staging"
"staging_password"
end
end
unless success
request_http_digest_authentication("Admin", "Authentication failed")
end
end
这是从 Ryan Daigle 的博客。我正在最新的 Rails 2.3 上运行,所以我应该不会遇到安全问题。
使用 Web 服务器身份验证
我也可以使用 .htaccess 或 apache 权限来实现此目的,但这使我的服务器配置稍微复杂一些(我正在使用 Chef,并且需要不同的 apache 配置来进行暂存/生产) 。
现在我已经实施并运行了第一个,您发现它有什么问题吗?我错过了一些明显的事情吗?提前致谢!
I'm trying to work out what the best way to secure my staging environment would be. Currently I'm running both staging and production on the same server.
The two options I can think of would be to:
Use rails digest authentication
I could put something like this in the application_controller.rb
# Password protection for staging environment
if RAILS_ENV == 'staging'
before_filter :authenticate_for_staging
end
def authenticate_for_staging
success = authenticate_or_request_with_http_digest("Staging") do |username|
if username == "staging"
"staging_password"
end
end
unless success
request_http_digest_authentication("Admin", "Authentication failed")
end
end
This was ripped from Ryan Daigle's blog. I'm running on the latest Rails 2.3 so I should be free from the security problem they had with this.
Use web server authentication
I could also achieve this using .htaccess or apache permissions, however it makes my server provisioning slightly more complex (I'm using Chef, and would require different apache configs for staging/production).
For now I have the first one implemented and working, do you see ay problems with it? Have I missed something obvious? Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
碰撞这个是为了帮助其他人,就像我自己一样,当我在选择一个类似但更干净的解决方案之前读到这篇文章时。
我写了一个简短的 关于它的博客文章。
bumping this to help others, like myself as I read this before settling on an similar, but cleaner solution.
I wrote a short blog post about it.
如果您正在使用多暂存环境进行部署,并且拥有生产环境和暂存环境,则只需将这些行添加到 config/environments/staging.rb 中
,这样您就不需要配置 Apache。
我正在使用 Ruby 2 和 Rails 4,它的工作方式非常神奇!
If you are deploying with multi-staging environments and so you have production environment and staging environment, you only need to add these lines to config/environments/staging.rb
By doing so, you don't need to configure Apache.
I am using Ruby 2 with Rails 4 and it works like a charm!
我会选择 http 基本身份验证,我认为它没有固有的问题。
I would go with the http basic authentication, I see no inherent problems with it.