保护 Rails 登台环境的密码

发布于 2024-08-05 09:51:33 字数 971 浏览 2 评论 0原文

我正在尝试找出保护我的暂存环境的最佳方法是什么。目前我在同一台服务器上运行登台和生产。

我能想到的两个选项是：

使用rails摘要身份验证

我可以在 application_controller.rb 中放入类似的内容

# Password protection for staging environment
if RAILS_ENV == 'staging'
  before_filter :authenticate_for_staging
end

def authenticate_for_staging
  success = authenticate_or_request_with_http_digest("Staging") do |username|
    if username == "staging"
      "staging_password"
    end
  end
  unless success
    request_http_digest_authentication("Admin", "Authentication failed")
  end
end

这是从 Ryan Daigle 的博客。我正在最新的 Rails 2.3 上运行，所以我应该不会遇到安全问题。

使用 Web 服务器身份验证

我也可以使用 .htaccess 或 apache 权限来实现此目的，但这使我的服务器配置稍微复杂一些（我正在使用 Chef，并且需要不同的 apache 配置来进行暂存/生产）。

现在我已经实施并运行了第一个，您发现它有什么问题吗？我错过了一些明显的事情吗？提前致谢！

原文

I'm trying to work out what the best way to secure my staging environment would be. Currently I'm running both staging and production on the same server.

The two options I can think of would be to:

Use rails digest authentication

I could put something like this in the application_controller.rb

# Password protection for staging environment
if RAILS_ENV == 'staging'
  before_filter :authenticate_for_staging
end

def authenticate_for_staging
  success = authenticate_or_request_with_http_digest("Staging") do |username|
    if username == "staging"
      "staging_password"
    end
  end
  unless success
    request_http_digest_authentication("Admin", "Authentication failed")
  end
end

This was ripped from Ryan Daigle's blog. I'm running on the latest Rails 2.3 so I should be free from the security problem they had with this.

Use web server authentication

I could also achieve this using .htaccess or apache permissions, however it makes my server provisioning slightly more complex (I'm using Chef, and would require different apache configs for staging/production).

For now I have the first one implemented and working, do you see ay problems with it? Have I missed something obvious? Thanks in advance!

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

久光 2024-08-12 09:51:33

碰撞这个是为了帮助其他人，就像我自己一样，当我在选择一个类似但更干净的解决方案之前读到这篇文章时。

# config/environments/staging.rb

MyApp::Application.configure do
  config.middleware.insert_after(::Rack::Lock, "::Rack::Auth::Basic", "Staging") do |u, p|
    [u, p] == ['username', 'password']
  end

 #... other config
end

我写了一个简短的关于它的博客文章。

bumping this to help others, like myself as I read this before settling on an similar, but cleaner solution.

# config/environments/staging.rb

MyApp::Application.configure do
  config.middleware.insert_after(::Rack::Lock, "::Rack::Auth::Basic", "Staging") do |u, p|
    [u, p] == ['username', 'password']
  end

 #... other config
end

I wrote a short blog post about it.

回复收藏 0 原文

人疚 2024-08-12 09:51:33

如果您正在使用多暂存环境进行部署，并且拥有生产环境和暂存环境，则只需将这些行添加到 config/environments/staging.rb 中

MyApp::Application.configure do
  # RESTRICTING ACCESS TO THE STAGE ENVIRONMENT
  config.middleware.insert_before(::Rack::Runtime, "::Rack::Auth::Basic", "Staging") do |u, p|
    u == 'tester' && p == 'secret'
  end

  ...

end

，这样您就不需要配置 Apache。

我正在使用 Ruby 2 和 Rails 4，它的工作方式非常神奇！

If you are deploying with multi-staging environments and so you have production environment and staging environment, you only need to add these lines to config/environments/staging.rb

MyApp::Application.configure do
  # RESTRICTING ACCESS TO THE STAGE ENVIRONMENT
  config.middleware.insert_before(::Rack::Runtime, "::Rack::Auth::Basic", "Staging") do |u, p|
    u == 'tester' && p == 'secret'
  end

  ...

end

By doing so, you don't need to configure Apache.

I am using Ruby 2 with Rails 4 and it works like a charm!

回复收藏 0 原文