cloudflare-rails 0.4.0 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/config.yml +4 -17
- data/.gitignore +1 -0
- data/.rspec +3 -1
- data/README.md +7 -2
- data/Rakefile +13 -1
- data/cloudflare-rails.gemspec +6 -5
- data/lib/cloudflare/rails/railtie.rb +8 -1
- data/lib/cloudflare/rails/version.rb +1 -1
- metadata +39 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 947c819ded7dcefcfabf3ce7d6b81dd24d55e39dfbe710b4135b796b44a37f04
|
4
|
+
data.tar.gz: f893a0c8a4d9bcc50f4008414a48cbf8d3180bb99d000a9b47dd800ba63c28b8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 74931a1f34f4501b5935d749d7965a3b3d95f1448d9869143674f14898cb4cc4616354ae350d1f81a0476682a6b6195a80115e9977bb39bf66d57ca06b0ec3bc
|
7
|
+
data.tar.gz: 7d8bd03f0cf4d724159261fab46fe0054f1b57ea0036071abc62e0de8c1e0ce04a44101d4b8e3730a512329795ecad6195996dd1d2e75a48bd8aff3b56763679
|
data/.circleci/config.yml
CHANGED
@@ -7,12 +7,7 @@ jobs:
|
|
7
7
|
build:
|
8
8
|
docker:
|
9
9
|
# specify the version you desire here
|
10
|
-
|
11
|
-
|
12
|
-
# Specify service dependencies here if necessary
|
13
|
-
# CircleCI maintains a library of pre-built images
|
14
|
-
# documented at https://circleci.com/docs/2.0/circleci-images/
|
15
|
-
# - image: circleci/postgres:9.4
|
10
|
+
- image: circleci/ruby:2.6.3
|
16
11
|
|
17
12
|
working_directory: ~/repo
|
18
13
|
|
@@ -40,18 +35,10 @@ jobs:
|
|
40
35
|
- run:
|
41
36
|
name: run tests
|
42
37
|
command: |
|
43
|
-
|
44
|
-
TEST_FILES="$(circleci tests glob "spec/**/*_spec.rb" | circleci tests split --split-by=timings)"
|
45
|
-
|
46
|
-
bundle exec rspec --format progress \
|
47
|
-
--format RspecJunitFormatter \
|
48
|
-
--out /tmp/test-results/rspec.xml \
|
49
|
-
--format progress \
|
50
|
-
$TEST_FILES
|
51
|
-
|
38
|
+
bundle exec rake
|
52
39
|
# collect reports
|
53
40
|
- store_test_results:
|
54
|
-
path:
|
41
|
+
path: tmp/rspec
|
55
42
|
- store_artifacts:
|
56
|
-
path:
|
43
|
+
path: tmp/rspec
|
57
44
|
destination: test-results
|
data/.gitignore
CHANGED
data/.rspec
CHANGED
data/README.md
CHANGED
@@ -23,9 +23,14 @@ And then execute:
|
|
23
23
|
|
24
24
|
$ bundle
|
25
25
|
|
26
|
-
##
|
26
|
+
## Problem
|
27
|
+
|
28
|
+
Using Cloudflare means it's hard to identify the IP address of incoming requests since all requests are proxied through Cloudflare's infrastructure. Cloudflare provides a [CF-Connecting-IP](https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-) header which can be used to identify the originating IP address of a request. However, this header alone doesn't verify a request is legitimate. If an attacker has found the actual IP address of your server they could spoof this header and masquerade as legitimate traffic.
|
27
29
|
|
28
|
-
|
30
|
+
`cloudflare-rails` mitigates this attack by checking that the originating ip address of any incoming connecting is from one of Cloudflare's ip address ranges. If so, the incoming `X-Forwarded-For` header is trusted and used as the ip address provided to `rack` and `rails` (via `request.ip` and `request.remote_ip`). If the incoming connection does not originate from a Cloudflare server then the `X-Forwarded-For` header is ignored and the actual remote ip address is used.
|
31
|
+
|
32
|
+
## Usage
|
33
|
+
This code will fetch CloudFlare's current [IPv4](https://www.cloudflare.com/ips-v4) and [IPv6](https://www.cloudflare.com/ips-v6) lists, store them in `Rails.cache`, and add them to `config.cloudflare.ips`. The `X-Forwarded-For` header will then be trusted only from those ip addresses.
|
29
34
|
|
30
35
|
You can configure the HTTP `timeout` and `expires_in` cache parameters inside of your rails config:
|
31
36
|
```
|
data/Rakefile
CHANGED
@@ -3,4 +3,16 @@ require "rspec/core/rake_task"
|
|
3
3
|
|
4
4
|
RSpec::Core::RakeTask.new(:spec)
|
5
5
|
|
6
|
-
task :
|
6
|
+
task :without_rack_attack do
|
7
|
+
ENV.delete 'RACK_ATTACK'
|
8
|
+
Rake::Task["spec"].reenable
|
9
|
+
Rake::Task["spec"].invoke
|
10
|
+
end
|
11
|
+
|
12
|
+
task :with_rack_attack do
|
13
|
+
ENV['RACK_ATTACK'] = '1'
|
14
|
+
Rake::Task["spec"].reenable
|
15
|
+
Rake::Task["spec"].invoke
|
16
|
+
end
|
17
|
+
|
18
|
+
task :default => [:without_rack_attack, :with_rack_attack]
|
data/cloudflare-rails.gemspec
CHANGED
@@ -23,15 +23,16 @@ Gem::Specification.new do |spec|
|
|
23
23
|
spec.add_development_dependency "bundler", "~> 1.10"
|
24
24
|
spec.add_development_dependency "rake", "~> 12.3.1"
|
25
25
|
spec.add_development_dependency "rspec_junit_formatter", "~> 0.4.1"
|
26
|
-
spec.add_development_dependency "rspec-rails", "~> 3.
|
27
|
-
spec.add_development_dependency "rspec", "~> 3.
|
28
|
-
spec.add_development_dependency "rubocop-airbnb", "~>
|
29
|
-
spec.add_development_dependency "webmock", "~> 3.
|
26
|
+
spec.add_development_dependency "rspec-rails", "~> 3.8.2"
|
27
|
+
spec.add_development_dependency "rspec", "~> 3.8.0"
|
28
|
+
spec.add_development_dependency "rubocop-airbnb", "~> 2.0.0"
|
29
|
+
spec.add_development_dependency "webmock", "~> 3.6.0"
|
30
|
+
spec.add_development_dependency "rack-attack", "~> 6.1.0"
|
31
|
+
spec.add_development_dependency "pry-byebug"
|
30
32
|
|
31
33
|
spec.add_dependency "httparty"
|
32
34
|
spec.add_dependency "rails", "~> 5.0"
|
33
35
|
|
34
|
-
|
35
36
|
# we need Module#prepend
|
36
37
|
spec.required_ruby_version = '>= 2.0'
|
37
38
|
end
|
@@ -13,6 +13,13 @@ module Cloudflare
|
|
13
13
|
|
14
14
|
Rack::Request::Helpers.prepend CheckTrustedProxies
|
15
15
|
|
16
|
+
# rack-attack Rack::Request before the above is run, so if rack-attack is loaded we need to
|
17
|
+
# prepend our module there as well, see:
|
18
|
+
# https://github.com/kickstarter/rack-attack/blob/4fc4d79c9d2697ec21263109af23f11ea93a23ce/lib/rack/attack/request.rb
|
19
|
+
if defined? Rack::Attack::Request
|
20
|
+
Rack::Attack::Request.prepend CheckTrustedProxies
|
21
|
+
end
|
22
|
+
|
16
23
|
# patch ActionDispatch::RemoteIP to use our cloudflare ips - this way
|
17
24
|
# request.remote_ip is correct inside of rails
|
18
25
|
module RemoteIpProxies
|
@@ -81,7 +88,7 @@ module Cloudflare
|
|
81
88
|
::Rails.application.config.cloudflare.ips += Importer.fetch_with_cache(type)
|
82
89
|
rescue Importer::ResponseError => e
|
83
90
|
::Rails.logger.error "Cloudflare::Rails: Couldn't import #{type} blocks from CloudFlare: #{e.response}"
|
84
|
-
rescue => e
|
91
|
+
rescue StandardError => e
|
85
92
|
::Rails.logger.error "Cloudflare::Rails: Got exception: #{e} for type:#{type}"
|
86
93
|
end
|
87
94
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cloudflare-rails
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.5.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- jonathan schatz
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2019-08-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -58,56 +58,84 @@ dependencies:
|
|
58
58
|
requirements:
|
59
59
|
- - "~>"
|
60
60
|
- !ruby/object:Gem::Version
|
61
|
-
version: 3.
|
61
|
+
version: 3.8.2
|
62
62
|
type: :development
|
63
63
|
prerelease: false
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
65
65
|
requirements:
|
66
66
|
- - "~>"
|
67
67
|
- !ruby/object:Gem::Version
|
68
|
-
version: 3.
|
68
|
+
version: 3.8.2
|
69
69
|
- !ruby/object:Gem::Dependency
|
70
70
|
name: rspec
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
72
72
|
requirements:
|
73
73
|
- - "~>"
|
74
74
|
- !ruby/object:Gem::Version
|
75
|
-
version: 3.
|
75
|
+
version: 3.8.0
|
76
76
|
type: :development
|
77
77
|
prerelease: false
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
79
79
|
requirements:
|
80
80
|
- - "~>"
|
81
81
|
- !ruby/object:Gem::Version
|
82
|
-
version: 3.
|
82
|
+
version: 3.8.0
|
83
83
|
- !ruby/object:Gem::Dependency
|
84
84
|
name: rubocop-airbnb
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
86
86
|
requirements:
|
87
87
|
- - "~>"
|
88
88
|
- !ruby/object:Gem::Version
|
89
|
-
version:
|
89
|
+
version: 2.0.0
|
90
90
|
type: :development
|
91
91
|
prerelease: false
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
93
93
|
requirements:
|
94
94
|
- - "~>"
|
95
95
|
- !ruby/object:Gem::Version
|
96
|
-
version:
|
96
|
+
version: 2.0.0
|
97
97
|
- !ruby/object:Gem::Dependency
|
98
98
|
name: webmock
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
100
100
|
requirements:
|
101
101
|
- - "~>"
|
102
102
|
- !ruby/object:Gem::Version
|
103
|
-
version: 3.
|
103
|
+
version: 3.6.0
|
104
104
|
type: :development
|
105
105
|
prerelease: false
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
107
107
|
requirements:
|
108
108
|
- - "~>"
|
109
109
|
- !ruby/object:Gem::Version
|
110
|
-
version: 3.
|
110
|
+
version: 3.6.0
|
111
|
+
- !ruby/object:Gem::Dependency
|
112
|
+
name: rack-attack
|
113
|
+
requirement: !ruby/object:Gem::Requirement
|
114
|
+
requirements:
|
115
|
+
- - "~>"
|
116
|
+
- !ruby/object:Gem::Version
|
117
|
+
version: 6.1.0
|
118
|
+
type: :development
|
119
|
+
prerelease: false
|
120
|
+
version_requirements: !ruby/object:Gem::Requirement
|
121
|
+
requirements:
|
122
|
+
- - "~>"
|
123
|
+
- !ruby/object:Gem::Version
|
124
|
+
version: 6.1.0
|
125
|
+
- !ruby/object:Gem::Dependency
|
126
|
+
name: pry-byebug
|
127
|
+
requirement: !ruby/object:Gem::Requirement
|
128
|
+
requirements:
|
129
|
+
- - ">="
|
130
|
+
- !ruby/object:Gem::Version
|
131
|
+
version: '0'
|
132
|
+
type: :development
|
133
|
+
prerelease: false
|
134
|
+
version_requirements: !ruby/object:Gem::Requirement
|
135
|
+
requirements:
|
136
|
+
- - ">="
|
137
|
+
- !ruby/object:Gem::Version
|
138
|
+
version: '0'
|
111
139
|
- !ruby/object:Gem::Dependency
|
112
140
|
name: httparty
|
113
141
|
requirement: !ruby/object:Gem::Requirement
|
@@ -179,8 +207,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
179
207
|
- !ruby/object:Gem::Version
|
180
208
|
version: '0'
|
181
209
|
requirements: []
|
182
|
-
|
183
|
-
rubygems_version: 2.7.6
|
210
|
+
rubygems_version: 3.0.4
|
184
211
|
signing_key:
|
185
212
|
specification_version: 4
|
186
213
|
summary: This gem configures Rails for CloudFlare so that request.ip and request.remote_ip
|