我应该部署掠影生产现场？ [英] Should I deploy Glimpse to the production site?

问题描述

我最近添加的掠影调试包我的项目。这加到掠影DLL的引用，并修改了一些的Web.Config。

I recently added the Glimpse Debugger package to my project. This added a reference to the Glimpse dll, and modified some Web.Config.

我喜欢我的项目一样多一样可能在我的开发和生产环境。

I like my project as much the same as possible on my development and production environment.

因此​​，它是保存/明智的掠影部署到我的生产现场，或者我应该创建一个不同的项目（或从我的csproj文件中创建分支），以保持它只能在本地？

So is it save/wise to deploy Glimpse to my production site, or should I create a different project (or create branch from my csproj file) to keep it only locally?

东西，我很担心包括：

• 性能


• 安全漏洞

推荐答案

我相信如果掠影cookie不会发现它不加载或做任何事情，这样的表现应该可以忽略不计。安全明智的，你可以只设置在web.config用户限制为一睹路径的位置。

I believe if the cookie for Glimpse is not found it doesn't load or do anything so performance should be negligible. Security wise you can just set a user restriction in the web.config for the location of the glimpse path.

<location path="Glimpse.axd" >
    <system.web>
        <authorization>
            <allow users="Administrator" />
            <deny users="*" />
        </authorization>
    </system.web>
</location>

或者，如果有一个管理员角色，你可以通过角色而不是用户名做。

Or if there is an administrator role you could do it by role instead of user name.

您也可以将其关闭，如果你不想仅仅依靠cookie的presence。这通过web.config中变换容易实现，我没有测试过的标记，但没有这样的事情应该工作。

You can also switch it off if you don't want to rely on just the presence of the cookie. This easily achieved through web.config transforms, I haven't tested the markup yet but something like this should work.

<glimpse enabled="false" xdt:Transform="SetAttributes">
</glimpse>

---

更新：掠影最近出现了一些变化，（因为1.0我相信？）变换现在看起来如下。尝试设置启用属性将给出一个配置错误的最新版本掠影。​​

---

UPDATE: Glimpse has seen some changes recently and (since 1.0 I believe?) the transform would now look as follows. Trying to set the enabled attribute will give a configuration error in the most recent version of Glimpse.

<glimpse defaultRuntimePolicy="Off" xdt:Transform="SetAttributes">
</glimpse>

由于文件所说的那样...

As the documentation puts it...

掠影绝对不允许用HTTP响应做多是
  在 DefaultRuntimePolicy 指定。

Glimpse will never be allowed to do more with a Http response than is specified in DefaultRuntimePolicy.

应该指出的是，这种变换发球，唯一的目的是，如果你想删除使用掠影作为部署过程的一部分的能力。如果你想根据其他标准，如远程请求或授权检查有条件禁用它，这些都是通过更好的政策进行。工作掠影掀起了一系列的政策，现在的（所有基于关闭的 IRuntimePolicy ），旨在帮助确定何时窥应该被允许做的事情。事实上，一旦掠影安装后，如果您导航到glimpse.axd，在该页面的底部，你会看到当前启用的策略列表。如 LocalPolicy 是$ P $通过远程请求（配置地，任何政策可以通过web.config中被忽略，以允许远程请求）被访问pvents它的 http://getglimpse.com/Help/Configuration 。他们也有称为样品类 GlimpseSecurityPolicy 也就是说当你使用的NuGet，一瞥您可以使用添加授权限制安装在内。

It should be noted that the only purpose this transform serves, is if you want to remove the ability to use Glimpse as part of your deployment process. If you want to conditionally disable it based on other criteria such as remote requests or authorization check, these are better done via policies. Glimpse operates off of a series of policies now (all based off of IRuntimePolicy), designed to help determine when glimpse should be allowed to do it's thing. In fact once Glimpse is installed, if you navigate to glimpse.axd, at the bottom of that page, you'll see a list of policies that are currently enabled. Such as the LocalPolicy that prevents it from being accessed by remote requests (configurably, any policy can be ignored via the web.config to allow remote requests) http://getglimpse.com/Help/Configuration. They also have a sample class called GlimpseSecurityPolicy that is included when you install Glimpse using Nuget, which you can use to add a authorization restrictions.

public class GlimpseSecurityPolicy:IRuntimePolicy
{
    public RuntimePolicy Execute(IRuntimePolicyContext policyContext)
    {
        // You can perform a check like the one below to control Glimpse's permissions within your application.
        // More information about RuntimePolicies can be found at http://getglimpse.com/Help/Custom-Runtime-Policy
        var httpContext = policyContext.GetHttpContext();
        if (httpContext.User != null && !httpContext.User.IsInRole("Glimpse")) //Once glimpse is turned on, you have to be a member of this Role to see the Glimpse Panel.
        {
            return RuntimePolicy.Off;
        }

        return RuntimePolicy.On;
    }

    public RuntimeEvent ExecuteOn
    {
        get { return RuntimeEvent.EndRequest; }
    }
}

现在的策略用于确定何时窥应该运行，但他们没有prevent从能够调出glimpse.axd页面的用户。该Cookie仍然可以从从什么我可以告诉启用，但该cookie是毫无意义的，如果一瞥拒绝尽管饼干的存在present运行。话虽这么说这还是建议包裹glimpse.axd页面中使用位置标记在你的web.config授权检查。请注意，这是除了 GlimpseSecurityPolicy 以上。

Now the policies are used to determine when glimpse should run, but they don't prevent the user from being able to bring up the glimpse.axd page. The cookie can still be enabled from what from what I can tell, but the cookie is meaningless if glimpse refuses to run in spite of the cookie being present. That being said It's still advisable to wrap the glimpse.axd page in an authorization check using the location tag in your web.config. Note that this is in addition to the GlimpseSecurityPolicy above.

<location path="glimpse.axd">
  <system.web>
    <authorization>
      <allow roles="Glimpse" />
      <deny users="*" />
    </authorization>
  </system.web>
</location>

这篇关于我应该部署掠影生产现场？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！