The sites_secrets config option can be used so that secrets can be referenced in the sites config option, and that can be shared widely, but the secrets themselves can be kept separate. It is a YAML formatted dictionary of secrets/keys that can then be referenced in the sites config option.
As an example, we could specify the following in sites_secrets (which could be only shared with those deploying a production instance):
site1.local:
locations:
"/":
backend-path: /my-backend-path-secret/
origin-headers:
X-Origin-Key: my-origin-secret-key
signed-url-hmac-key: my-signed-url-secret-key
And then in our sites config option we could specify the following (which could be shared with anyone):
site1.local:
locations:
"/":
backend-path: ${secret}
backends:
- 127.0.0.10:80
origin-headers:
X-Origin-Key: ${secret}
signed-url-hmac-key: ${secret}
This would lead to a rendered sites configuration as follows:
site1.local:
locations:
"/":
backend-path: /my-backend-path-secret/
backends:
- 127.0.0.10:80
origin-headers:
X-Origin-Key: my-origin-secret-key
signed-url-hmac-key: my-signed-url-secret-key
Secrets can be specified for any option within a “locations” sub-path as required.