rails 4中secret_key_base的用途是什么 [英] What is the use of secret_key_base in rails 4
问题描述
我是 Rails 4 的新手,不了解 Rails 4 中 config/secrets.yml 下的 secret_key_base 的用法.你能解释一下这个概念吗?
I am new to Rails 4, and do not understand the use of secret_key_base under config/secrets.yml in Rails 4. Can you please explain this concept?
另外,当我在生产环境中工作时,会提示我设置secret_key 与devise.rb、config.secret_key, 和 secret_key_base.但是,我可以使用 rake secret 命令生成新的机密.
Also, when I am working in the production environment, I am prompted to set the secret_key with devise.rb, config.secret_key, and secret_key_base. However, I can generate a new secret using the rake secret command.
开发环境和生产环境有什么区别?
What is the difference between development and production environments?
每次生成时,我添加secret_key_base后,新生成的secret_key是如何匹配的?
How is it matching the newly generated secret_key when I add it with secret_key_base every time I generate?
它如何通过其他服务器保护应用程序?
How is it securing the application with other servers?
推荐答案
secret_token.rb 文件的内容包括一个长随机字符串用于验证签名的完整性cookie(例如用户登录您的网络应用时的用户会话).
The secret_token.rb file's content includes a long randomized string which is used to verify the integrity of signed cookies (such as user sessions when people are signed into your web app).
文档 说:
使用 secret_token.rb 初始值设定项中现有的 secret_key_base为任何用户设置 SECRET_KEY_BASE 环境变量在生产模式下运行 Rails 应用程序.或者,您可以简单地将现有的 secret_key_base 从 secret_token.rb 初始值设定项复制到生产部分下的 secrets.yml,替换 <%= ENV["SECRET_KEY_BASE"] %>.
Use your existing secret_key_base from the
secret_token.rbinitializer to set the SECRET_KEY_BASE environment variable for whichever users run the Rails app in production mode. Alternately, you can simply copy the existing secret_key_base from thesecret_token.rbinitializer to secrets.yml under the production section, replacing<%= ENV["SECRET_KEY_BASE"] %>.
由于是重要文件,不能放到.gitignore中,所以使用env变量来存储secret_key_base值被认为是一个好习惯:
Since it is important file, and you can't put it to .gitignore, it is treated to be a good practice to use env variable to store secret_key_base value:
创建 .env 或 .powenv 文件并将其存储为:
create .env or .powenv file and store it as:
export SECRET_TOKEN="9489b3eee4eccf317ed77407553e8adc97baca7c74dc7ee33cd93e4c8b69477eea66eaedeb18af0be2679887c7c69c0a28c0fded0a71ea472a8c4laalal19cb"
然后在config/initializers/secret_token.rb
YourAppName::Application.config.secret_key_base = if Rails.env.development? or Rails.env.test? # generate simple key for test and development environments
('a' * 30) # should be at least 30 chars long
else
ENV['SECRET_TOKEN']
end
这篇文章(有点老而且)很长,但确实充满了有关该主题的有用信息.
This article is (a bit old and) long but really full of useful info on the topic.
从 Rails 4.2 开始,不再有 secret_token.rb 文件.按照新的约定,有一个 config/secrets.yml 文件旨在存储应用程序的机密.
Starting from Rails 4.2 there is no longer secret_token.rb file.
By new convention there is a config/secrets.yml file aimed to store application's secrets.
阅读如何将现有应用升级到 4.2.x 根据创新.
Have a read on how to upgrade an existing app to 4.2.x according to innovations.
从技术上讲,secrect_key_base 的目的是成为应用程序的 key_generator 方法的秘密输入(检查 Rails.application.key_generator).
Technically the purpose of secrect_key_base is to be the secret input for the application’s key_generator method (check Rails.application.key_generator).
应用程序的 key_generator 以及 secret_key_base 被 Rails 框架内的三个核心功能使用:
The application’s key_generator, and thus secret_key_base, are used by three core features within the Rails framework:
- 导出可通过以下方式访问的加密 cookie 的密钥
cookies.encrypted. - 导出 HMAC 签名 cookie 的密钥,这些 cookie 是可通过
cookies.signed访问. - 为所有的派生密钥应用程序名为
message_verifier实例.
这篇关于rails 4中secret_key_base的用途是什么的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
