当前位置: 文江博客话题详情

我应该将 Glimpse 部署到生产站点吗?

发布于 2024-11-02 14:14:52 字数 249 浏览 5 评论 0原文

我最近将 Glimpse Debugger 包添加到我的项目中。这添加了对Glimpse dll的引用,并修改了一些Web.Config。

我尽可能喜欢我的项目在我的开发和生产环境中的表现。

那么,将 Glimpse 部署到我的生产站点是否节省/明智,或者我应该创建一个不同的项目(或从我的 csproj 文件创建分支)以仅将其保留在本地?

我担心的事情包括:

  • 性能
  • 安全漏洞
原文

I recently added the Glimpse Debugger package to my project. This added a reference to the Glimpse dll, and modified some Web.Config.

I like my project as much the same as possible on my development and production environment.

So is it save/wise to deploy Glimpse to my production site, or should I create a different project (or create branch from my csproj file) to keep it only locally?

Stuff that I'm worried about include:

  • Performance
  • Security breaches

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

℡Ms空城旧梦 2024-11-09 14:14:52

我相信如果没有找到 Glimpse 的 cookie,它就不会加载或执行任何操作,因此性能应该可以忽略不计。安全方面,您只需在 web.config 中为预览路径的位置设置用户限制即可。

<location path="Glimpse.axd" >
    <system.web>
        <authorization>
            <allow users="Administrator" />
            <deny users="*" />
        </authorization>
    </system.web>
</location>

或者,如果有管理员角色,您可以按角色而不是用户名来执行此操作。

如果您不想仅依赖 cookie 的存在,也可以将其关闭。这可以通过 web.config 转换轻松实现,我还没有测试标记,但类似的东西应该可以工作。

<glimpse enabled="false" xdt:Transform="SetAttributes">
</glimpse>

更新:Glimpse 最近看到了一些变化(我相信是从 1.0 开始?)转换现在如下所示。尝试设置 enabled 属性会在最新版本的 Glimpse 中出现配置错误。

<glimpse defaultRuntimePolicy="Off" xdt:Transform="SetAttributes">
</glimpse>

正如文档所说...

Glimpse 永远不会被允许对 Http 响应做更多的事情
DefaultRuntimePolicy 中指定。

应该注意的是,此转换的唯一目的是如果您想要删除在部署过程中使用 Glimpse 的功能。如果您想根据其他条件(例如远程请求或授权检查)有条件地禁用它,最好通过策略来完成。 Glimpse 现在根据一系列策略运行(全部基于IRuntimePolicy),旨在帮助确定何时允许glimpse 执行其操作。事实上,一旦安装了 Glimpse,如果您导航到该页面底部的glimpse.axd,您将看到当前启用的策略列表。例如防止远程请求访问的LocalPolicy(可配置的是,可以通过web.config忽略任何策略以允许远程请求)http://getglimpse.com/Help/Configuration。他们还有一个名为 GlimpseSecurityPolicy 的示例类,当您使用 Nuget 安装 Glimpse 时会包含该类,您可以使用它来添加授权限制。

public class GlimpseSecurityPolicy:IRuntimePolicy
{
    public RuntimePolicy Execute(IRuntimePolicyContext policyContext)
    {
        // You can perform a check like the one below to control Glimpse's permissions within your application.
        // More information about RuntimePolicies can be found at http://getglimpse.com/Help/Custom-Runtime-Policy
        var httpContext = policyContext.GetHttpContext();
        if (httpContext.User != null && !httpContext.User.IsInRole("Glimpse")) //Once glimpse is turned on, you have to be a member of this Role to see the Glimpse Panel.
        {
            return RuntimePolicy.Off;
        }

        return RuntimePolicy.On;
    }

    public RuntimeEvent ExecuteOn
    {
        get { return RuntimeEvent.EndRequest; }
    }
}

现在,这些策略用于确定 glimpse 何时运行,但它们不会阻止用户打开 glimpse.axd 页面。据我所知,仍然可以启用 cookie,但是如果尽管存在 cookie,但一瞥仍拒绝运行,那么 cookie 就毫无意义了。话虽这么说,但仍然建议使用 web.config 中的位置标记将一闪一闪的页面包装在授权检查中。请注意,这是对上面的 GlimpseSecurityPolicy 的补充。

<location path="glimpse.axd">
  <system.web>
    <authorization>
      <allow roles="Glimpse" />
      <deny users="*" />
    </authorization>
  </system.web>
</location>

I believe if the cookie for Glimpse is not found it doesn't load or do anything so performance should be negligible. Security wise you can just set a user restriction in the web.config for the location of the glimpse path.

<location path="Glimpse.axd" >
    <system.web>
        <authorization>
            <allow users="Administrator" />
            <deny users="*" />
        </authorization>
    </system.web>
</location>

Or if there is an administrator role you could do it by role instead of user name.

You can also switch it off if you don't want to rely on just the presence of the cookie. This easily achieved through web.config transforms, I haven't tested the markup yet but something like this should work.

<glimpse enabled="false" xdt:Transform="SetAttributes">
</glimpse>

UPDATE: Glimpse has seen some changes recently and (since 1.0 I believe?) the transform would now look as follows. Trying to set the enabled attribute will give a configuration error in the most recent version of Glimpse.

<glimpse defaultRuntimePolicy="Off" xdt:Transform="SetAttributes">
</glimpse>

As the documentation puts it...

Glimpse will never be allowed to do more with a Http response than is
specified in DefaultRuntimePolicy.

It should be noted that the only purpose this transform serves, is if you want to remove the ability to use Glimpse as part of your deployment process. If you want to conditionally disable it based on other criteria such as remote requests or authorization check, these are better done via policies. Glimpse operates off of a series of policies now (all based off of IRuntimePolicy), designed to help determine when glimpse should be allowed to do it's thing. In fact once Glimpse is installed, if you navigate to glimpse.axd, at the bottom of that page, you'll see a list of policies that are currently enabled. Such as the LocalPolicy that prevents it from being accessed by remote requests (configurably, any policy can be ignored via the web.config to allow remote requests) http://getglimpse.com/Help/Configuration. They also have a sample class called GlimpseSecurityPolicy that is included when you install Glimpse using Nuget, which you can use to add a authorization restrictions.

public class GlimpseSecurityPolicy:IRuntimePolicy
{
    public RuntimePolicy Execute(IRuntimePolicyContext policyContext)
    {
        // You can perform a check like the one below to control Glimpse's permissions within your application.
        // More information about RuntimePolicies can be found at http://getglimpse.com/Help/Custom-Runtime-Policy
        var httpContext = policyContext.GetHttpContext();
        if (httpContext.User != null && !httpContext.User.IsInRole("Glimpse")) //Once glimpse is turned on, you have to be a member of this Role to see the Glimpse Panel.
        {
            return RuntimePolicy.Off;
        }

        return RuntimePolicy.On;
    }

    public RuntimeEvent ExecuteOn
    {
        get { return RuntimeEvent.EndRequest; }
    }
}

Now the policies are used to determine when glimpse should run, but they don't prevent the user from being able to bring up the glimpse.axd page. The cookie can still be enabled from what from what I can tell, but the cookie is meaningless if glimpse refuses to run in spite of the cookie being present. That being said It's still advisable to wrap the glimpse.axd page in an authorization check using the location tag in your web.config. Note that this is in addition to the GlimpseSecurityPolicy above.

<location path="glimpse.axd">
  <system.web>
    <authorization>
      <allow roles="Glimpse" />
      <deny users="*" />
    </authorization>
  </system.web>
</location>
回复 原文
不顾 2024-11-09 14:14:52

Yarx 几乎在所有方面都是正确的。

从安全角度来看,您可以使用所描述的方法锁定路径。唯一的问题是,glimpse 使用了更多的 URL 端点,因此规则需要类似于 *Glimpse/* (其中 * 表示任何内容都可以在它之前,任何内容都可以在它之后) )。一旦到位,一瞥就应该被锁定。

另外,如果在配置中,您使用了 Yarx 提供的转换,即使您打开了 cookie,glimpse 也永远不会加载。

Yarx is right on pretty much all fronts.

From a security perspective you could lock down the path using the method described. Only thing is, there are more URL end points that glimpse uses, so the rule would need to be something like *Glimpse/* (where * says that anything can come before it and anything can come after it). Once this is in place, glimpse should be pretty locked down.

Also, if in the config, you used the transform that Yarx provided, glimpse will never load, even if you have the cookie turned on.

回复 原文
山色无中 2024-11-09 14:14:52

从 Glimpse 1.7 开始,有一种更通用的方法来保护 ~/glimpse.axd ,其额外好处是您可以对所有人使用相同的策略。您只需要确保您的自定义策略也被资源调用:

 public RuntimeEvent ExecuteOn
 {
     // The bit flag that signals to Glimpse that it should run on either event
     get { return RuntimeEvent.Endrequest | RuntimeEvent.ExecuteResource; }
 }

注意 | RuntimeEvent.ExecuteResource。请参阅底部:保护 Glimpse .axd 前进的方向

Starting with Glimpse 1.7 there is a more generic way to secure ~/glimpse.axd with the additional benefit that you use the same policy for all. You simply need to make sure that your custom policy is called for resources too:

 public RuntimeEvent ExecuteOn
 {
     // The bit flag that signals to Glimpse that it should run on either event
     get { return RuntimeEvent.Endrequest | RuntimeEvent.ExecuteResource; }
 }

Notice the | RuntimeEvent.ExecuteResource. See bottom of: Securing Glimpse.axd the way forward.

回复 原文
~没有更多了~

关于作者

月棠

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Promise

文章 0 评论 0

qq_lbRlsh

文章 0 评论 0

待"谢繁草

文章 0 评论 0

yy2010hell

文章 0 评论 0

漫无边际

文章 0 评论 0

傲娇萝莉攻

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文