Hello All,
The router has an attribute called password in the sslProfile entity.
In version 1.2, this attribute was deprecated in favor of the passwordFile
attribute where you specify the absolute path of the file containing the
password. It is good practice to not put the plain text password directly
in the router config file.
In the password field or in the file containing the password, you could add
prefixes like env: and literal: and follow it with an environment variable
containing the password or a literal password respectively.
To simplify all this, I am proposing that we deprecate the passeordFile
field and consolidate all password scenarios to use the password field. We
will use the password options that openssl
<https://www.openssl.org/docs/man1.1.1/man1/openssl.html> uses (see Pass
Phrase Options sections). Going forward, here are three ways to specify a
password in an sslProfile
sslProfile {
caCertFile: .....
certFile: .....
# Get the password from the environment variable TLS_SERVER_PASSWORD.
Note the env: prefix
*password: env:TLS_SERVER_PASSWORD *
OR
# Get the password from the absolute file path. Note the file: prefix
*password: file:/home/tls/password-file.txt *
OR
# Specify the actual password. Note the pass: prefix
*password: pass:actual_password *
}
While you can still specify the actual password in the password field using
the pass: prefix, which casual users might want to do, you are also able to
specify the file path or environment variable for more robust security.
This change will be backward compatible which means, you will still be able
to specify the actual password in the password field without the pass:
prefix. The passwordFile field will be deprecated and eventually removed
when we to a major version.
Please let me know your thoughts.
Thanks.
