I am working on Symfony 3 a project that will ultimately run on a web server that is managed by someone else.
I would like to encrypt all of the passwords in the various Symfony configuration files.
Is there a supported way to do this?
Related
I'm using the latest .NET Core (1.1) and EF Core to build my ASP.NET website and I also use ASP.NET Identity, and I have already published my website to Azure host and everything is working as expected there(including my Windows localhost). However now I'm switching to my own Linux(Centos 7) dedicated server with Apache, and I have the site working however I get "Invalid Token" messages when trying to reset password or confirm email.
I have checked other questions like this and solution was to encode/decode url which is sent via email, however I have did that already but it's not working still.
I also tried to copy the whole database from localhost to my server in case there was something with migrations on the Linux host, however that also did not help. All migrations are applied and other things that don't use Identity context also work.
After additional searching I have found that it might be problem with different machine keys on the host and that the security stamp is not in sync, but I don't see how could that affect me because I deploy a whole new version of my app to the server, and on localhost everything works as well on Azure hosting. Also this used to be the problem with ASP.NET MVC, not Core.
How can I even debug this issue? I have not seen anyone having this problem with the new EF Core and especially not on Linux host.
I deploy the site using the latest VS 17. I have set up Apache proxy as guided on the official .NET Core website: link
Dotnet core MVC application on default saves your Authentication tokens encrypted in a cookie.
The seed/key for this encryption/decryption of the data is based on your machine key, which is different on every machine.
If you ran multiple instances of your app (load balanced) this message/error will happen when your system tries to decrypt the session cookie, created on the other machine.
On the other hand if you still have cookie information in your browser and you start hosting the website on a different host ofcouse this new host wont be able to decrypt these already existing session cookies.
I Know this because i had the same problem. You can find the source-code of session here: https://github.com/aspnet/Session/tree/dev/src/Microsoft.AspNetCore.Session
I tried this when dotnet core was not yet released and i ended up using this blog. But probably now is very outdated.
I'd advice you advice you to use an external session store instead of using the cookie as data storage. read through their documentation on how to set that up: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/app-state
We have an site made up of several hundred ASP.NET 4 web apps. Currently our production config is specified in config transforms and resides along with the source code for each application. We deploy to staging and production environments using WebDeploy packages.
What are the options for securing the configuration?
I can think of the following:
encrypt the config files and build tool/s that use certs to decrypt in prod
store and deploy the configuration transform files separately
extend the system.configuration to read config from env. vars (easy for appSettings, more involved for custom config sections).
Is there a standard approach for this and perhaps some tools I am unaware of?
I want to encrypt the information in loggingConfiguration section in web.config using enterprise library configuration tool to work on one server or on web farm
I used many ways but it didn't work.
I tried to encrypt the connection string and it worked fine.
Did you read this:
You can encrypt and decrypt the data in a configuration file's
configuration sections. A configuration section contains the
configuration information for an application block.
The configuration
tool allows you to select from the encryption providers that are
included in the Machine.config file. Typically, these are the
DataProtectionConfigurationProvider, which uses DPAPI, and the
RsaProtectedConfigurationProvider, which uses RSA.
If the encrypted
configuration file is going to be on only a single server, you can use
the DataProtectionConfigurationProvider.
If you want to deploy the
same encrypted configuration file on multiple servers in a Web farm,
you should use the RsaProtectedConfigurationProvider. This provider
makes it easy for you encrypt the data on one server computer and then
export the RSA private key needed to decrypt the data. You can then
deploy the configuration file and the exported key to the target
servers, and then re-import the keys.
To encrypt a configuration
section Open one of the configuration tools. Open an existing
configuration file or create a new one. Click the name of the
application block whose configuration information you want to encrypt.
In the Properties pane, click ProtectionProvider. Select either
DataProtectionConfigurationProvider or
RsaProtectedConfigurationProvider.
All the settings for the providers,
such as where keys are stored, are also in the Machine.config file.
You cannot change this file with a configuration tool. Instead, you
must modify the file using a text editor. To decrypt a configuration
file, simply open it in the configuration tool. The file is
automatically decrypted.
Does the web application project deployment package has web.config file un encrypted.
What is the use of Package. why they say that in web application project only 1 dll is deployed however web.config file is still residing with connection string un encrypted
Your question was not clear from the beginning. Dave answered correctly. The web.config is indeed unencrypted by default, regardless of the project type you use. You could encrypt it using the instructions given in this post or this post which explains how to encrypt and decrypt configuration sections.
Answering to "what is the difference between a web application project over a website project", this MSDN post describes thoroughly the differences between the two project types, including a summary.
I would suggest using a web application project. The most important benefits (in my opinion) when using a web application project are:
Building produces a dll. This means that when you publish your application, there is no source code on the server. Be careful: This does not mean that your published code is encrypted. Anybody who has access on the server could see your code using a disassembler (like MSIL Disassembler). If you want to make reverse engineering harder, you could use an obfurscator like confuser.
You make debugging easier as the project file contains references to other projects etc. You can also edit and continue while debugging.
You have more visual studio options available, regarding build/publish process. You could for example add prebuild/postbuild steps, using MSBuild or Team Build.
Hope I helped.
web.config file is unencrypted by default, but you can encrypt sections of it if needed. See http://msdn.microsoft.com/library/dtkwfdky.aspx for more info.
I have an MVC2 .NET 4.0 app, hosted on TFS 2008 (soon to be TFS 2010) that uses connection strings in web.config to connect to a database on another server. I need to encrypt these connection strings.
As I understand it, I can use aspnet_regiis.exe to encrypt the connectionstring portion of the web.config file, but I have to do it on the deployment machine because the encryption uses the machine name to generate the encryption key.
Now, it seems to me that this represents a problem - every time I deploy my code to the dev server won't it overwrite the web.config file, and need to be re-encrypted? This sort of manual process seems kludgy.
Is my understanding about needing to re-encrypt after deployment correct?
If so, is there some way to automate this process? I don't want to forget this or get a new team member who doesn't know the process and have the connectionstring exposed to the world.
web.config files aren't typically part of a deployment (though Visual Studio 2010 supports configuration file transforms in web application deployment projects). I wouldn't expect that you should be overwriting the web.config when you deploy (because the web.config is where you would place those things that are specific to that machine/environment.
So, encrypt it once, and then don't overwrite it, would be my advice.
Since that isn't available in your situation, it is possible to specify a key when encrypting, so that you can share the encrypted file between machines. By default, the command to encrypt uses the DPAPI to encrypt the section (which is tied to the machine) but you can also use RSA for encryption. More info is available on MSDN in Specifying a Protected Configuration Provider.