如何使我的 Heroku 应用程序保持私密?
有没有一种方法可以使我的应用程序完全保密,并且只允许开发人员访问?
当随机用户输入 URL 时,它应该类似于空白页面,但当开发人员输入 URL 时,他们应该能够访问该应用程序。
Is there a way that I could keep my application completely private, and only let the developers have access?
When a random user enters the URL, it should be something like a blank page, but when the developers enter the URL, they should be able to access the app.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
我的廉价解决方案是实现 before_filter 来在执行每个操作之前请求 HTTP 身份验证。
该解决方案与其他身份验证层(Devise 或其他层)配合良好。
每当其他对等方登陆 yourdomain.heroku.com 时,都会要求他们进行 HTTP 身份验证,然后再进行其他身份验证(如果有)。
My cheap solution has been implementing a before_filter to request an HTTP authentication before every action is executed.
This solution works well along other authentication layers – Devise or others.
Whenever other peers land at yourdomain.heroku.com, they are asked for HTTP authentication, later for other authentication if in place.
现在,您还可以使用 Heroku 插件,让您指定允许访问的用户的电子邮件应用程序并使用 Persona(又名 BrowserID)来验证用户身份(不需要站点特定密码)。
Now you can also use a Heroku add-on that let's you specify emails of users allowed to access an application and that uses Persona (aka BrowserID) to authenticate users (no site specific password needed).
一个非常简单的解决方案是仅添加一个可以存储在用户计算机上的 cookie 中的密钥。这不是一个完美的解决方案,因为有人可以获得密钥,但它为您提供了基本的保护,防止有人无意中访问您的网站。您可以使用类似 http://www.yourdomain.com?access_key=random_string 的网址,然后将以下内容添加到您的应用程序控制器中。
此代码将检查用户计算机上的 url 或 cookie 中的访问密钥,如果任一位置存在该访问密钥,则允许他们进入。这样,一旦他们使用密钥访问该网站,他们就可以直接访问该网址。
A really simple solution would be to just add a key that can be stored in a cookie on the users machine. This is not a perfect solution as someone could get the key but it gives you basic protection from someone stumbling across your site. You could use a url like http://www.yourdomain.com?access_key=random_string and then add the following to your application controller.
This code will check for the access key in either the url or a cookie on the users machine and let them in if it exists in either place. That way once they've accessed the site with the key they can just access the url directly.
您可以使用 HTTP 基本身份验证作为一种简单的方法:
不完全安全,但也许足够了。
您还可以尝试检查
heroku_user并拒绝访问(如果未设置):我找不到太多关于
heroku_user的文档,所以我不知道它是否仍然受支持。You could use HTTP basic authentication as an easy way:
Not exactly bullet proof but maybe sufficient.
You could also try checking
heroku_userand refusing access if it isn't set:I can't find much documentation on
heroku_userso I don't know if it is still supported.查看 authlogic gem,特别是单一访问令牌功能。
您可以向未将适当的单一访问令牌作为参数传递的任何人返回 404。
Check out authlogic gem, particularly the Single Access Token feature.
You can return a 404 to anyone who doesn't pass the appropriate single access token as an argument.
我构建了 rack_staging gem 来为自己处理这个用例,它可能对你也有用。
I built the rack_staging gem to handle this use case for myself, it might be of use for you too.
我的(也很便宜)的解决方案(使用基于类的视图的 Django 应用程序)是在我所有基于类的视图中使用 SuperUserRequiredMixin ,如下所示:
添加/删除此 mixin 是我解决此问题的方法。
My (also cheap) solution (Django app that uses class based views) is to use
SuperUserRequiredMixinin all my class based views like this:Adding / removing this mixin is my way to go about this.