问题
Where should the production and staging connection strings be stored in an ASP.NET Core application, when deploying into IIS 7 (not Azure) ?
I am looking for the recommended way of doing it / best-practice, especially security-wise.
回答1:
In ASP.NET 5 it's possible to specify multiple configuration sources. Thanks to this welcoming change to previous model you can store your development connection string in simple json file, and your staging and production connection string in environment variables directly on the respective servers.
If you configure your app like this :
var config = new Configuration()
.AddJsonFile("config.json")
.AddEnvironmentVariables();
and there is connection string in both config.json and environment variable then environment source will win.
So, store your development connection string in config.json(and freely check in in source control) and production one in environment variable. More info here and here.
回答2:
You want to use the user secrets API. See my example below (Based on ASP.NET 5 Beta 5):
ConfigurationBuilder configurationBuilder = new ConfigurationBuilder(
applicationEnvironment.ApplicationBasePath);
// This reads the configuration keys from the secret store. This allows you to store
// connection strings and other sensitive settings on your development environment, so you
// don't have to check them into your source control provider.
configurationBuilder.AddUserSecrets();
IConfiguration configuration = configurationBuilder.Build();
You also have to set the userSecretsId in project.json (See links below). This is a unique ID for your projects secrets and will be needed below when you create a new secret:
{
"webroot": "wwwroot",
"userSecretsId": "[Your User Secrets ID]",
"version": "1.0.0-*"
...
}
To add/remove/update your user secrets you need to install the secrets manager by running:
dnu commands install SecretManager
Then use the secrets manager to actually add/remove/update your settings:
Usage: user-secret [options] [command]
Options:
-?|-h|--help Show help information
-v|--verbose Verbose output
Commands:
set Sets the user secret to the specified value
help Show help information
remove Removes the specified user secret
list Lists all the application secrets
clear Deletes all the application secrets
Use "user-secret help [command]" for more information about a command.
See this and this documentation for more information.
I should also note that as of writing (ASP.NET 5 Beta 5), the user secrets are not encrypted! This will change later on.
来源:https://stackoverflow.com/questions/31426358/where-should-i-store-the-connection-string-for-the-production-environment-of-my