在github上存储Apache conf文件是否不好? [英] Is it bad to store Apache conf files on github?
问题描述
我正在开发一个项目,该项目在部署时将需要修改现有的Apache配置.当前conf文件未包含在github存储库中,我想添加它们,这将使我能够在正在处理的分支中进行所需的更改.
当前的维护者和我不确定包括这些文件是否存在安全风险?在这方面什么是最佳实践?
更好的是存储一个带有占位符值的 httpd.conf.tpl
template 文件
这允许您在本地生成正确的httpd.conf文件,并在 git clone
/ git checkout
上自动生成./p>
生成脚本将:
- 从外部安全引用(如Vault)中搜索任何敏感数据的正确值
- 替换
httpd.conf.tpl
中的占位符值以生成正确的httpd.conf
(Git可以忽略)
为此,请在中注册(在(来自"自定义Git的图像-Git属性",来自" Pro Git书";)
smudge
脚本将(实际在 git checkout
或 git switch
上)自动生成实际的 httpd.conf
文件如上所述.
同样,生成的实际 httpd.conf
文件仍然会被忽略( .gitignore
).
请参阅"分支之间的git smudge/clean过滤器"的完整示例.
I'm working on a project that when deployed will need to modify an existing Apache config. Currently the conf files are are not included in the github repository, I would like to add them which would let me make the changes required in the branch I'm working on.
The current maintainer and I are unsure if including these files is a security risk? What is considered best practice in this regard?
What is better is to store an httpd.conf.tpl
template file with placeholder values in it.
That allows you to generate the right httpd.conf file locally, and to do so automatically on git clone
/git checkout
.
The generation script will:
- search the right values for any sensitive data from an external secure referential (like a vault)
- replace the placeholder value in
httpd.conf.tpl
to generate the righthttpd.conf
(that can be ignored by Git)
For that, do register (in a .gitattributes
declaration) a content filter driver.
(image from "Customizing Git - Git Attributes", from "Pro Git book")
The smudge
script will generate (automatically, on git checkout
or git switch
) the actual httpd.conf
file as mentioned above.
Again, the generated actual httpd.conf
file remains ignored (by the .gitignore
).
See a complete example at "git smudge/clean filter between branches".
这篇关于在github上存储Apache conf文件是否不好?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!