问题描述
我已经建立了SATIS私人作曲家数据包管理器。
赛帝是在packages.asc.company跑,我用的Apache2 HTTP基本身份验证保护的网站,可以通过输入HTTP基本认证证书在浏览器中打开它。
I have set up satis private composer packet manager.Satis is running on "packages.asc.company", I protected the site by apache2 http basic authentication and can open it in browser by entering http basic auth credentials.
现在我的问题:我如何传递作曲家凭据访问最好,最安全的方式SATIS网站例如运行时, 作曲家更新?
Now my question: How can I pass composer the credentials to access the satis site in the best and most secure manner when running e.g. "composer update"?
目前我只能注册一个用户,在Apache的htpasswd文件密码,并需要在一些地方通过其凭据可以从作曲家连接到SATIS。
Currently I registered only one user with a password in apache .htpasswd file and need to pass its credentials somewhere to be able to connect from composer to satis.
有两种情况下,我需要从连接:
There are two cases where I need to connect from:
1)从开发过程中的项目
1) From the project during development
2)从在持续集成过程詹金斯。
2) From jenkins during continuous integration process.
3)编辑:SSL
我试图使用OpenSSL现在,以确保登录时在我的Linux,这里的运行Apache,我创建了一个私钥和一个.crt文件的凭据(见:的。在我的Linux,我现在可以打开以https的SATIS包页,我甚至HTTP重定向到https,所有工作(即时通讯使用我自己的证书与OpenSSL的产生是因为它内部的应用程序,我并不需要一个信任的CA)。
I am trying to use openssl now to secure the credentials when logging in. On my linux, where the apache runs, I created a private key and a .crt file (see: Apache SSL . On my linux, I can now open the satis packages page with https, and I even redirect http to https, all working (Im using my own certificate generating with openssl because its an internal application and I don't need a trusted ca).
现在,当我从我的Linux虚拟机(在这里我编码)切换到我的Windows,并尝试运行作曲家更新,我得到以下错误信息:
(主机文件配置正确的)
Now, when I switch to my Windows from my Linux vm (here I am coding), and I try to run composer update, I get the following error message:(hosts file is configured correct)
[作曲\\下载\\ TransportException]
在的文件无法下载:SSL操作失败,code 1. OpenSSL的错误消息:
错误:14090086:SSL例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败
无法启用加密
未能打开流:操作失败
[Composer\Downloader\TransportException] The "https://packages.asc.company/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Failed to enable crypto failed to open stream: operation failed
我错过了什么?我是pretty新的SSL,但读了一整天关于现在信息,也无法得到它的工作。
What did I miss? I'm pretty new to ssl, but read the whole day now information about it and can't get it to work.
从 getcomposer SATIS网站,我有这个信息,但不知道如何使用它。
From getcomposer satis site, I have this information but don't know how to use it.
{
"repositories": [
{
"type": "composer",
"url": "https://example.org",
"options": {
"ssl": {
"local_cert": "/home/composer/.ssl/composer.pem"
}
}
}
]
}
问候。
推荐答案
作曲家将添加用户名进入赛帝网址工作。作品对我来说,我只是想避开无用默认在本地网络中包含口令的服务器。有一个只读的帐户,并用它。
Composer will work with adding user names into the Satis URL. Works for me, I just wanted to get around the useless default passworded server in the local network. There's a read only account, and I used it.
此外:在公司每个开发者都在信息服务器上的帐户,并没有在保护下载的ZIP文件,更安全多大用处。作曲家本身目前不支持任何code签署的方法或哈希值进行比较,所以没有办法知道,如果一个包已被篡改或者在那里储存或传输过程中。
Additionally: Every developer in the company has an account on the repository server, and there isn't much use in protecting downloaded ZIP files with even more security. Composer itself currently doesn't support any code signing methods or hash comparison, so there is no way to know if a package has been tampered with either where stored or during transmission.
根据文档,在URL不给凭证将使作曲问他们,或者你可以将它们添加到 auth.json 。在另一方面:在保存一个专用的文件听起来并不像最好的办法明文密码,并且不使用HTTPS传送他们更是雪上加霜。
According to the docs, not giving credentials in the URL will make Composer ask for them, or you can add them to auth.json. On the other hand: Saving clear text passwords in a dedicated file doesn't sound like the best idea, and transmitting them without using HTTPS is even worse.
您必须定义你想拥有什么样的安全性。什么是你想防止目标或威胁的情况?
You have to define what kind of security you want to have. What is the goal or the threat scenario you want to protect against?
这篇关于赛帝HTTP基本认证 - 传递凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!