ActionMailer密码安全 [英] ActionMailer password security

问题描述

我疯了吗，还是将ActionMailer的SMTP用户名和密码保留在实际的（开发/生产）配置文件中是个坏主意吗？看来我应该将其存储在加密的位置，或者至少将其从Mercurial推送中排除。

现在，我只是从以下位置删除密码我的源文件在执行推送之前，但是必须有一种比我正在使用的方法更聪明的方法。 ：）

也许我应该以另一个用户（已经使用加密密码存储）将其存储在数据库中，并以编程方式获取它？

解决方案

使用未存储在存储库中的应用程序配置文件 来存储敏感信息。这是我的操作方法：

1. 添加 app_config.yml 在您的 config 目录中。它的内容如下所示： gjkjgsFLK4gaj
   




2. 添加 preinitializer.rb 在 config 目录中，并包含以下内容：

    需要'yaml '
    APP_CONFIG = YAML.load（File.read（RAILS_ROOT + /config/app_config.yml））
     




3. 将密码替换为 APP_CONFIG 变量中的值，例如：

     smtp_password = kl240jvfslkr32rKgjlk＃旧版本
    smtp_password = APP_CONFIG ['smtp_password']＃新版本
     

请确保您的存储库中不包含 app_config.yml 可能想要创建一个已签入的示例文件，只是为了显示其中应包含的内容的示例。部署应用程序时，请确保 app_config.yml 存储在服务器上。如果您使用的是标准Capistrano部署，请将文件放在共享文件夹中，然后更新部署任务，以在当前版本的目录中创建指向该文件的符号链接。

Am I crazy, or is it a bad idea to keep my SMTP username and password for ActionMailer in the actual (development/production) config file? It seems like I should store it an encrypted place, or at the very minimum, exclude it from my Mercurial pushes.

Right now, I'm just removing the password from my source file before performing a push, but there's got to be a smarter way than the one I'm using. :)

Perhaps I should store it in my database as another user (which is already stored with encrypted passwords) and fetch it programatically?

解决方案

Use an application configuration file that is not stored in your repository for storing sensitive information. Here is how I've done it:

1. Add an app_config.yml in your config directory. Its contents would look like this:

   smtp_password: kl240jvfslkr32rKgjlk
   some_other_password: 34hg9r0j0g402jg
   and_so_on: lkn$@gJkjgsFLK4gaj
   

2. Add a preinitializer.rb in your config directory with the following contents:

   require 'yaml'
   APP_CONFIG = YAML.load(File.read(RAILS_ROOT + "/config/app_config.yml"))
   

3. Substitute your passwords for values in the APP_CONFIG variable, like so:

   smtp_password = kl240jvfslkr32rKgjlk # old version
   smtp_password = APP_CONFIG['smtp_password'] # new version
   

Make sure you don't include app_config.yml in your repository, though you may want to create an example file that is checked in, just to show a sample of what should be in it. When you deploy your application, make sure that app_config.yml is stored on the server. If you're using a standard Capistrano deployment, put the file in the shared folder and update your deployment task to create a symlink to it in the current release's directory.

这篇关于ActionMailer密码安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！