我正在使用Node.js构建一个基本网站,我不希望任何人能够访问我的服务器端源代码(它包含数据库的登录凭据)。我的主应用程序位于运行应用程序的根目录中名为“app.js”的文件中。如果我浏览到mysite.com/app.js,则会提供源代码文件。有没有办法禁止使用Node.js访问某些文件?该网站托管在Microsoft Azure上,如果这有所不同(我的研究似乎表明微软和Apache处理的方式不同)。
答案 0 :(得分:2)
Azure基本上使用IIS来为您的Node.js应用程序提供服务。因此,您需要将名为web.config的IIS配置文件添加到应用程序的根文件夹中,以限制对服务器端源代码的访问。
<?xml version="1.0" encoding="utf-8"?>
<!--
This configuration file is required if iisnode is used to run node processes behind
IIS or IIS Express. For more information, visit:
https://github.com/tjanczuk/iisnode/blob/master/src/samples/configuration/web.config
-->
<configuration>
<system.webServer>
<!-- Visit http://blogs.msdn.com/b/windowsazure/archive/2013/11/14/introduction-to-websockets-on-windows-azure-web-sites.aspx for more information on WebSocket support -->
<webSocket enabled="false" />
<handlers>
<!-- Indicates that the app.js file is a node.js site to be handled by the iisnode module -->
<add name="iisnode" path="app.js" verb="*" modules="iisnode"/>
</handlers>
<rewrite>
<rules>
<!-- Do not interfere with requests for node-inspector debugging -->
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^app.js\/debug[\/]?" />
</rule>
<!-- First we consider whether the incoming URL matches a physical file in the /public folder -->
<rule name="StaticContent">
<action type="Rewrite" url="public{REQUEST_URI}"/>
</rule>
<!-- All other URLs are mapped to the node.js site entry point -->
<rule name="DynamicContent">
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True"/>
</conditions>
<action type="Rewrite" url="app.js"/>
</rule>
</rules>
</rewrite>
<!-- bin directory has no special meaning in node.js and apps can be placed in it -->
<security>
<requestFiltering>
<hiddenSegments>
<remove segment="bin"/>
</hiddenSegments>
</requestFiltering>
</security>
<!-- Make sure error responses are left untouched -->
<httpErrors existingResponse="PassThrough" />
<!--
You can control how Node is hosted within IIS using the following options:
* watchedFiles: semi-colon separated list of files that will be watched for changes to restart the server
* node_env: will be propagated to node as NODE_ENV environment variable
* debuggingEnabled - controls whether the built-in debugger is enabled
To debug your node.js application:
* set the debuggingEnabled option to "true"
* enable web sockets from the portal at https://manage.windowsazure.com/#Workspaces/WebsiteExtension/Website/aarontestnode/configure
* browse to https://aarontestnode.azurewebsites.net/app.js/debug/
See https://github.com/tjanczuk/iisnode/blob/master/src/samples/configuration/web.config for a full list of options
-->
<iisnode watchedFiles="web.config;*.js" debuggingEnabled="false" />
</system.webServer>
</configuration>
答案 1 :(得分:0)
在应用服务中,您可以声明键值对,包括&#34;应用程序设置&#34;中的连接字符串。刀。这些将作为Java,Node,PHP和Python应用程序的环境变量提供。这样他们就会安全。 https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-configure
答案 2 :(得分:-1)
这里有两个问题:
Apache和Nginx都可以指定如何提供静态资产。静态资产请求应映射到特定资产文件夹。因此,yourdomainname.com/myfile.js的请求将映射到/path/to/static/assets/myfile.js。研究他们的文档,看看如何做到这一点。
您需要在代码库之外保留您的凭据信息(API密钥,数据库密码等)。为此,您可以将.env文件与dotenv package