Satis http 基本身份验证 - 传递凭据 [英] Satis http basic auth - pass credentials
问题描述
我已经设置了 satis 私人 Composer 数据包管理器.Satis 在packages.asc.company"上运行,我通过 apache2 http 基本身份验证保护了该站点,并且可以通过输入 http 基本身份验证凭据在浏览器中打开它.
I have set up satis private composer packet manager. Satis is running on "packages.asc.company", I protected the site by apache2 http basic authentication and can open it in browser by entering http basic auth credentials.
现在我的问题是:如何在运行时以最佳和最安全的方式将凭据传递给 Composer 以访问 satis 站点,例如作曲家更新"?
Now my question: How can I pass composer the credentials to access the satis site in the best and most secure manner when running e.g. "composer update"?
目前我只在 apache .htpasswd 文件中注册了一个有密码的用户,需要将其凭据传递到某处才能从 composer 连接到 satis.
Currently I registered only one user with a password in apache .htpasswd file and need to pass its credentials somewhere to be able to connect from composer to satis.
有两种情况我需要连接:
There are two cases where I need to connect from:
1) 来自开发过程中的项目
1) From the project during development
2) 在持续集成过程中来自 jenkins.
2) From jenkins during continuous integration process.
3) SSL
我现在正在尝试使用 openssl 来保护登录凭据.在运行 apache 的 Linux 上,我创建了一个私钥和一个 .crt 文件(请参阅:Apache SSL .在我的 linux 上,我现在可以使用 https 打开 satis 包页面,我什至将 http 重定向到 https,一切正常(我正在使用我自己的证书是用 openssl 生成的,因为它是一个内部应用程序,我不需要可信的 CA).
I am trying to use openssl now to secure the credentials when logging in. On my linux, where the apache runs, I created a private key and a .crt file (see: Apache SSL . On my linux, I can now open the satis packages page with https, and I even redirect http to https, all working (Im using my own certificate generating with openssl because its an internal application and I don't need a trusted ca).
现在,当我从我的 Linux 虚拟机切换到我的 Windows(这里我正在编码),并且我尝试运行 composer update 时,我收到以下错误消息:(hosts 文件配置正确)
Now, when I switch to my Windows from my Linux vm (here I am coding), and I try to run composer update, I get the following error message: (hosts file is configured correct)
[作曲家\下载器\传输异常]无法下载https://packages.asc.company/packages.json"文件:SSL 操作失败,代码为 1.OpenSSL 错误消息:错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败无法启用加密无法打开流:操作失败
[Composer\Downloader\TransportException] The "https://packages.asc.company/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Failed to enable crypto failed to open stream: operation failed
我错过了什么?我对 ssl 还很陌生,但是现在阅读了一整天的关于它的信息并且无法让它工作.
What did I miss? I'm pretty new to ssl, but read the whole day now information about it and can't get it to work.
来自 getcomposer satis 站点,我有这个信息,但不知道如何使用它.
From getcomposer satis site, I have this information but don't know how to use it.
{
"repositories": [
{
"type": "composer",
"url": "https://example.org",
"options": {
"ssl": {
"local_cert": "/home/composer/.ssl/composer.pem"
}
}
}
]
}
问候.
推荐答案
Composer 将把用户名添加到 Satis URL 中.对我有用,我只是想绕过本地网络中无用的默认密码服务器.有一个只读帐户,我用过.
Composer will work with adding user names into the Satis URL. Works for me, I just wanted to get around the useless default passworded server in the local network. There's a read only account, and I used it.
另外:公司中的每个开发人员在存储库服务器上都有一个帐户,更安全地保护下载的 ZIP 文件并没有多大用处.Composer 本身目前不支持任何代码签名方法或哈希比较,因此无法知道包是否在存储位置或传输过程中被篡改.
Additionally: Every developer in the company has an account on the repository server, and there isn't much use in protecting downloaded ZIP files with even more security. Composer itself currently doesn't support any code signing methods or hash comparison, so there is no way to know if a package has been tampered with either where stored or during transmission.
根据文档,不在 URL 中提供凭据将使 Composer 要求它们,或者您可以将它们添加到 auth.json.另一方面:将明文密码保存在专用文件中听起来并不是最好的主意,而在不使用 HTTPS 的情况下传输它们甚至更糟.
According to the docs, not giving credentials in the URL will make Composer ask for them, or you can add them to auth.json. On the other hand: Saving clear text passwords in a dedicated file doesn't sound like the best idea, and transmitting them without using HTTPS is even worse.
你必须定义你想要什么样的安全性.您要防范的目标或威胁场景是什么?
You have to define what kind of security you want to have. What is the goal or the threat scenario you want to protect against?
这篇关于Satis http 基本身份验证 - 传递凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
