堆栈内存溢出
  简体   繁体   English

在Git中存储Web.config

[英]Storing Web.config in Git

 原文  2017-03-02 15:00:05       c#/ asp.net/ .net/ github

问题描述

I have doubt on storing web.config files in Git-hub, is it recommended? 我怀疑在Git-hub中存储web.config文件,是推荐吗?

Is this not a security vulnerability? 这不是安全漏洞吗?

Also web.config for different environments will be different in different enviroments, hence how to keep different versions of web.config is same repo and branch? 另外,不同环境的web.config在不同的环境中也会有所不同,因此如何保持不同版本的web.config是同一个repo和branch?

2 个解决方案

解决方案1
 4 已采纳  2017-03-02 15:01:29

Yes, it is. 是的。

Use server-level secrets to store sensitive information like DB connection strings. 使用服务器级密钥存储敏感信息,如数据库连接字符串。

In IIS you can use ASPNET_REGIIS - it lets you add secret configuration that IIS can access, but that isn't held in plain text with the web files. 在IIS中,您可以使用ASPNET_REGIIS - 它允许您添加IIS可以访问的秘密配置,但不能使用Web文件以纯文本形式保存。

In .NET core there's new Microsoft.Extensions.SecretManager.Tools that does the same thing. 在.NET核心中有新的Microsoft.Extensions.SecretManager.Tools做同样的事情。

For different environments you can have multiple web.config files , for instance web.release.config and web.debug.config . 对于不同的环境,您可以拥有多个web.config文件 ,例如web.release.configweb.debug.config

解决方案2
 2  2017-03-02 19:23:40

Your web.config file itself is not a security issue. 您的web.config文件本身不是安全问题。 The keys you probably have inside it like connections strings are indeed very much sensitive and should not be in version control. 你可能拥有的键就像连接字符串一样非常敏感,不应该在版本控制中。 The problem is how to manage those keys without having them in the web.config (or any other version controlled settings/config file). 问题是如何管理这些密钥而不将它们放在web.config(或任何其他版本控制的设置/配置文件)中。

Keith is correct that you should use server-level secrets. Keith你应该使用服务器级秘密是正确的。 If your managing the server yourself you can use his method of setting them but if your using a service you'll need to set the keys up however they specify. 如果你自己管理服务器,你可以使用他的设置方法,但如果你使用服务,你需要设置密钥,但是他们指定。

An example on Azure Azure上的一个示例

How and where to define an environment variable on azure 如何以及在何处定义Azure上的环境变量

Another on Heroku Heroku的另一个

https://devcenter.heroku.com/articles/config-vars https://devcenter.heroku.com/articles/config-vars

Setting up the server-level secrets is only the first step. 设置服务器级秘密只是第一步。 Once you've pulled the keys out of the web.config you'll have to set them up locally. 一旦你从web.config中取出密钥,你就必须在本地设置它们。 Here's a blog post that talks about setting them using your local machine.config. 这是一篇关于使用本地machine.config设置它们的博客文章。

http://krow.tech/posts/Keeping-Your-Secret-Configs-Private http://krow.tech/posts/Keeping-Your-Secret-Configs-Private

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将公用密钥存储在web.config文件中 - Storing public key in web.config file 将字节数组存储在web.config中 - storing a byte array in web.config 在web.config中存储复杂的对象 - Storing complex objects in web.config 在web.config中存储错误代码和消息 - storing error code and messages in web.config 在web.config或app.config中存储分层应用程序设置 - storing hierarchical application settings in web.config or app.config 与const字段相比,在web.config中存储值是否存在性能损失? - Is there a performance penalty for storing values in the web.config compared to const fields? 创建web.config - Creating web.config Ajax的web.config - ajax web.config Web.config设置 - Web.config settings 加密Web.Config - Encrypting Web.Config
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM