Can someone explain what's benefits of environment variables in Node.js over regular config file?
In my project I have config.js files with DB details, AWS keys, etc. This file is added to .gitignore and never shared on repository, instead there is demo.config.js file with all required parameters filled with fake creditentials, so you can just copy it as config.js and fill it with correct details after fresh install.
This file is "required" in every file when I need credentials in my project and on my development machine this config file is configured with test server details and with actual production server details on production machine.
Lately I read everywhere that everyone should use environment variables to store credentials safely, but I don't see any benefit to doing so in my project.
I'm not saying it's bad and my approach is better, I just want to know what actual benefit (security or otherwise) will I get with environment variables over my setup?
For me it is more like a common standard than anything else. The way how you use config.js is practically the same as using environment variables. But instead of storing the configuration in environment variables, you store it in js file.
The main difference is how you read that config. All mainstream languages I know, will easily allow you to read from environment variables, there is really wide support for it. Reading from config files brings additional complexity as you need to know the structure of that file, how to parse etc. In some languages (maybe node.js) it is probably easy to read from js file, but in others it could be difficult task.
That's why using environment variables is just a common standard and language agnostic. You can even read it in bash scripts etc.
Edit: adding reference to The Twelve-Factor App, the Config section is particularly connected with above question:
https://www.12factor.net/config
One benefits i see when you are using docker for local development and kubernetes or any container orchestration for SIT/UAT etc where config setting is there . In local development we keep all env variable required and move the same on container based system
Related
I am using mongoose with MongoDB in a NodeJS application. Right now, in development, I have a configuration (.env) file which stores sensitive information my code needs to run. For example, the MongoDB password & URL, emails & passwords needed to email using the code, etc.
When I put it into production, it would obviously be wrong to upload this configuration file anywhere on the cloud, given the information in it. How can I make it so my production code, hosted somewhere such as Heroku, can access these needed variables without letting undue access to them?
Thanks in advance!
You are right, pushing your env file to production is pretty bad from a security perspective.
The way you would go with storing your environmental variables differs between cloud platforms, but essentially you should get a secure way of adding them through either an user interface or through terminal (You usually find these information easily by looking into your provider documentation).
To store them in a project deployed on Heroku, you will need to:
Log to Heroku
Open the newly deployed project
Head over the Settings tab
Find the section named Config Vars
Click on Reveal Vars
Add your variables in there
And you are good to go!
What is the difference between storing sensitive credentials in a credentials.js file as opposed to an .env file?
With module.exports you can write:
const KEY = require("./credentials.js");
Whereas with .env files you can write:
const KEY = process.env.KEY;
In both cases you accomplish the same goal of making some variable "global" and accessing it globally. Why do people use .env and dotenv instead of just using Node's built in module.exports system?
Environment variables are meant to be defined on the machine (system). The environment variables can be used on multiple application running on the same system.
Exported variables are only limited to the application you are running.
In your case: If you want to deploy your application on 3 servers (Dev, QA, Prod) but on with different credentials, it doesn't make sense to change the credentials every time when deployment. Even if you define credentials for every server it has to be static and if you want to change it, you must do changes in file and deploy the app again to reflect the changes. In case of environment variables, you just have to change it on the targeted system and restart the server, so there is no need to deploy the app again.
It becomes a mess to manage when there are changes in more than one environment variables. Also, environment variables are useful when it comes to integration with other services.
For security in environment variables, you can read this
When storing credentials:
There is risk of exposing credentials to version control system when stored in config file
It doesn't matter where credentials are stored, if the system is compromised
You can use a runtime configuration file. Find it here
I know that a good way to store data like db passwords, etc. is via environment variables, but setting environment variables manually for every server instance created is time consuming.
I'm planning to deploy my project to the cloud (using aws ebs or heroku).
where should I store my db password?
I think the .ebextensions file isn't a good option because it's tracked in vcs
Don't ever store secrets in source control. A common practice is to either put them in a secure file or in something like https://www.vaultproject.io/ then inject them (programmatically via a script or some other deployment/configuration tool) into the environment when you bring up your VM (or container or whatever).
My recommendation is to create a properties file which can be stored in the resources folder of your application and the code can access the resources. do not need environment variable. One property file can contain all db's userid and passwords. Deploy job based on url mapping in the properties file. For example, look at a spring hibernate example project which uses a property file. Or look at ant deploy scripts. Hope it helps.
When building an environment-specific Grails WAR file configurations from other environments are included in the WAR file as well. For example, all the database connections properties from the production environment are also included in a WAR file built for test. Even though the configuration is compiled to class files it's quite simple to extract sensitive data from there.
In order to improve security, I want to exclude unrelated environment configurations from a WAR file. Is there a way to strip this configuration automatically during the WAR build or do I have to externalize these configurations and deploy them separately?
I suppose if you could somehow analyse the bytecode and work out precisely which Config$_closure3$_closure12 corresponds to the bit you don't need then you might be able to replace it in the war with an empty closure, but it's probably more hassle than it's worth. There's certainly no easy way I'm aware of.
I would put the config for each env in a separate file. If you put the prod config in web-app/WEB-INF/classes/myapp-prod.groovy (still in an environments block) and the dev config in a file in the top directory, and say
grails.config.locations = ["classpath:myapp-prod.groovy", "file:myapp-dev.groovy"]
then only the prod configuration will end up in the war. Though it would be completely human readable, so it may be more secure to simply leave the prod config directly in Config.groovy (so it gets compiled) and just use the external to override for dev mode.
I want to create a development environment running Movable Type 5.
To create a separate development environment, it is necessary to copy and paste to reflect production.
How would I go about building a good environment?
There are many ways to build a development environment, and an experienced Movable Type developer would need to know more about your goals in order to make a good recommendation.
All of the following guidance assumes that Movable Type has been installed and is ready to run
on the development server.
Here are a few basic tips:
Although some of the key configuration details for a Movable Type instance are kept in mt-config.cgi, there are website-level and blog-level settings that are of equal importance that are kept in the underlying database.
Since most Movable Type 5 instances use MySQL as the database backend, it's possible to dump the entire contents of the Movable Type database using the mysqldump utility or a more visual tool like the Export function of phpMyAdmin. This produces a large text file with MySQL CREATE TABLE and INSERT statements.
Once the database is dumped to a file, the file can be moved to another server, modified, and reconstituted. One of the tasks we commonly perform at that point is to go through the database using an editor, the UNIX sed command, or some similar process, and perform global searches and replacements for the URLs and file system paths that are embedded in the database dump.
This is necessary in many cases because your production website may be http://www.mysite.com/, but your development environment may be http://dev.mysite.com/ or even http://localhost/. Similarly, the file system paths in production may be /var/www/mysite/htdocs/... while development may be /opt/local/apache2/htdocs/mysite/....
Once changes of this nature are made and the modified file is saved, the database is reconstituted on the development server by using a UNIX shell command like:
cat mysite.sql | mysql -u mt_user -p mt_password
Or by importing the database into another copy of phpMyAdmin.
Once all of this is done, the mt-config.cgi file from production needs to be copied into the Movable Type working directory and rewritten so that several important elements are changed:
CGIPath
StaticWebPath
Database
DBUser
DBPassword
DBHost
These Movable Type Configuration Directives are discussed in the online documentation.
All of the non-database assets have to be copied from production to development. Things like files containing jpeg, png, and gif images, files that have been placed in the production file system either manually, or using the Asset Manager. There may be other files that need to be copied from production, depending on how you use Movable Type.
Once all of this is done, and you are able to login to the Movable Type development server successfully, you will probably want to the websites and blogs to ensure that all of the content has been copied into development.
I hope these instructions are somewhat helpful to people needing to setup a development environment. I would be happy to get comments or edits if anyone thinks I left out anything significant.
By saying that you need a development environment for Movable Type, what exactly do you need to develop?
If you are developing a plugin? or theme? a website? content?
It is possible to assign a different mt-config.cgi file to each virtual server, and working on different database, for the same installation.
If you are developing a plugin, you will want to use the PluginSwitch directive so the developed plugin won't be loaded on the real website.
http://www.movabletype.org/documentation/installation/managing-multiple-instances-of.html
Eslar, you may like to consider also this documentation resource:
http://www.movabletype.org/documentation/mt41/rsync.html
Alternatively, you may like to consider:
http://www.cis.upenn.edu/~bcpierce/unison/
If you go with the 'rsync' solution described in the movable type documentation, you may like to check also these configuration directives mentioned there:
http://www.movabletype.org/documentation/appendices/config-directives/rsyncoptions.html
http://www.movabletype.org/documentation/appendices/config-directives/synctarget.html