如何使用virtualenv和Django隐藏我的secret_key？ [英] How to I hide my secret_key using virtualenv and Django?

问题描述

我正在使用Django，python，virtualenv，virtualenvwrapper和Vagrant。

到目前为止，我只是把secret_key放在settings.py文件里面。
此工作文件用于本地文件。但是我已经将我的文件放在Git中。我知道这是不可接受的生产（Apache）。

有什么正确的方法来隐藏我的secret_key？

我应该使用virtualenv来隐藏吗？

解决方案

有很多不同的方法来隐藏秘密。

1. 使用另一个非版本的文件。

   
   
   

   创建一个新文件 secrets.py 或者你把你的秘密放在哪里将它放在您的设置文件旁边，并将所有秘密都放在那里;然后在您的设置文件中将 from secrets import * 在顶部。然后，像Rahul所说，添加一个 .gitignore 文件，并将 secrets.py 添加到此文件中，不要提交。

   
   
   

   这种方法的缺点是在该文件上根本没有源代码控制;如果你失去了你是SOL。




2. 使用环境变量。

   
   
   

   a href =http://httpd.apache.org/docs/2.2/mod/mod_env.html =nofollow> SetEnv 或 PassEnv 指令将环境变量传递给您的进程，然后在设置文件中使用 os.environ（）检索它们。这样做的优点在于，在开发过程中，您可以设置新的变量（就像 VAR1 =任何VAR2 =任何... ./manage.py runserver ... ）或者将它们从您用于启动开发项目的任何机制设置。

   
   
   

   缺点是非常相似;如果你丢失了你的Apache配置，你就被绑定了。




3. 结合方法1使用第二个存储库。

   
   $ b $个人而言，我喜欢拥有一个专门的 secretts 存储库，您将所有的秘密都保存在锁定和密钥之下。然后作为部署过程的一部分，您可以使用 git archive 或其他类似的命令来提取要部署的位置的正确密钥，并且可以保护您的秘密备份和版本控制容易。您还可以将 secretts repo中的相应文件添加到站点存储库的 .gitingore 文件中，以便它们
   
   
   

   这样做的缺点是您有另一个额外的存储库和另一个部署步骤。我认为这是值得的，但这真的取决于你。

一般来说，你想要的更安全它会越来越不方便访问这些秘密。这实际上是一般的规则。

I am using Django, python, virtualenv, virtualenvwrapper, and Vagrant.

So far I have simply left my secret_key inside of the settings.py file. This works file for local files. However I have already placed my files in Git. I know this is not acceptable for production(Apache).

What is the correct way to go about hiding my secret_key?

Should I use virtualenv to hide it?

解决方案

There's a lot of different methods to hide secrets.

1. Use another, non-versioned file.

   Create a new file secrets.py or what have you and put your secrets in that. Place it alongside your settings file and place everything secret in there; then in your settings file put from secrets import * at the top. Then, like Rahul said, add a .gitignore file and add secrets.py to this file so that it won't be committed.

   The disadvantage of this approach is that there is no source control at all on that file; if you lose it you're SOL.

2. Use environment variables.

   Use the Apache SetEnv or PassEnv directives to pass environment variables to your process, then retrieve them with os.environ() in your settings file. This has the advantage in that in development, you can set new variables (as simply as VAR1=whatever VAR2=whatever ... ./manage.py runserver ...) or set them from whatever mechanism you use to launch your development project.

   The disadvantage is much the same; if you lose your Apache configs you're boned.

3. Use a second repository in combination with method 1.

   Personally, I like the idea of having a dedicated secrets repository that you put all your secrets into and keep that repo under lock and key. Then as part of your deployment process, you can use git archive or another similar command to extract the proper keys for the place you're deploying to, and you can keep your secrets backed up and under version control easily. You can also add the appropriate files in the secrets repo to the .gitingore file of your site repository so that they don't accidentally get committed.

   The downside of this is that you have another extra repository and another deployment step. I think that's worth it, personally, but it's really up to you.

In general, the more secure you want it, the more inconvenient it's going to be to access those secrets. That's really a rule in general, though.

这篇关于如何使用virtualenv和Django隐藏我的secret_key？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！