问题
I'm working on a project that when deployed will need to modify an existing Apache config. Currently the conf files are are not included in the github repository, I would like to add them which would let me make the changes required in the branch I'm working on.
The current maintainer and I are unsure if including these files is a security risk? What is considered best practice in this regard?
回答1:
What is better is to store an httpd.conf.tpl
template file with placeholder values in it.
That allows you to generate the right httpd.conf file locally, and to do so automatically on git clone
/git checkout
.
The generation script will:
- search the right values for any sensitive data from an external secure referential (like a vault)
- replace the placeholder value in
httpd.conf.tpl
to generate the righthttpd.conf
(that can be ignored by Git)
For that, do register (in a .gitattributes declaration) a content filter driver.
(image from "Customizing Git - Git Attributes", from "Pro Git book")
The smudge
script will generate (automatically, on git checkout
or git switch
) the actual httpd.conf
file as mentioned above.
Again, the generated actual httpd.conf
file remains ignored (by the .gitignore
).
See a complete example at "git smudge/clean filter between branches".
来源:https://stackoverflow.com/questions/64707428/is-it-bad-to-store-apache-conf-files-on-github