RubyGems - rack-cloudflare - Versions diffs - 0.1.0 → 1.0.0 - Mend

rack-cloudflare 0.1.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

checksums.yaml +4 -4
data/.gitignore +2 -0
data/.rubocop.yml +43 -0
data/Gemfile +2 -0
data/README.md +116 -7
data/Rakefile +26 -1
data/data/ips_v4.txt +14 -0
data/data/ips_v6.txt +6 -0
data/lib/rack/cloudflare.rb +17 -4
data/lib/rack/cloudflare/countries.rb +268 -0
data/lib/rack/cloudflare/headers.rb +131 -0
data/lib/rack/cloudflare/ips.rb +46 -0
data/lib/rack/cloudflare/middleware/access_control.rb +34 -0
data/lib/rack/cloudflare/middleware/rewrite_headers.rb +23 -0
data/lib/rack/cloudflare/version.rb +4 -2
data/rack-cloudflare-0.1.0.gem +0 -0
data/rack-cloudflare.gemspec +4 -0
metadata +39 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d361e00dd386a7ee04f14083033478613234cf3595d3fcd2305293dda78f43d2
-  data.tar.gz: 2d51e3ee954d38f99db080f28d82206a6d3156b1f8de7f1a4dd8e44328979c16
+  metadata.gz: 6c8a5b0439022d396fd56721e79b97a96c4cf830b0e37c27a4a9f6f2db2f8bd0
+  data.tar.gz: d3866b5cfcce96211b25ae277b5e5280f3f38e0eb5f78d291c23d2a08cf84715
 SHA512:
-  metadata.gz: '0318856bf3ad9182b7a22de5a5cb14a8b79ae55c7cb40c68329ba044820a1dcd69b3103ae47b6f4ac727a0f90e405d810a0d61c8b523e41a0b74170791cc300d'
-  data.tar.gz: 3d871d3ad152afed37a1ca788602e570f601e25d301d73a9c141cfc12464988b080972a935e4f51b5620c6ea710a471f9f57de975285768980b24e56c5d5df6e
+  metadata.gz: 8ea482f40489690a5f368f0e21a9aad7fbc59dc76517b351b635ff53064ac8a1339ecc4c3129047967d5bdbafa259aa11a4b79314ea52ebe78b63d3bf031e9f4
+  data.tar.gz: 40709bddc477ccd842dd50318827c4af50bbc7cf5a0b8ee58304e0e0d0d736b5fdd04b8b6f81692eb45f82b9a04492c4cb63001e6089490ab8e1cb8ee217b2a4

data/.gitignore CHANGED Viewed

@@ -9,3 +9,5 @@
 # rspec failure tracking
 .rspec_status
+Gemfile.lock

data/.rubocop.yml ADDED Viewed

@@ -0,0 +1,43 @@
+AllCops:
+  TargetRubyVersion: 2.5.1
+  # Rails: true
+  # Include:
+  #   - '**/Rakefile'
+  #   - '**/config.ru'
+  Exclude:
+    - 'doc/**/*'
+    - 'tmp/**/*'
+    - 'bin/**/*'
+    - 'db/**/*'
+    - 'test/**/*'
+    - 'config/**/*'
+    - 'script/**/*'
+    - 'vendor/**/*'
+    - 'spec/**/*'
+    - !ruby/regexp /old_and_unused\.rb$/
+# Style/WhileUntilModifier:
+#   MaxLineLength: 160
+# Style/IfUnlessModifier:
+#   MaxLineLength: 160
+Metrics/LineLength:
+  Max: 160
+Metrics/AbcSize:
+  Max: 120
+Metrics/MethodLength:
+  CountComments: false  # count full line comments?
+  Max: 120
+NumericPredicate:
+  EnforcedStyle: comparison
+Style/Documentation:
+  Enabled: false
+Metrics/ModuleLength:
+  Exclude:
+    - 'lib/rack/cloudflare/countries.rb'

data/Gemfile CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 source 'https://rubygems.org'
 git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }

data/README.md CHANGED Viewed

@@ -1,8 +1,6 @@
 # Rack::Cloudflare
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/rack/cloudflare`. To experiment with that code, run `bin/console` for an interactive prompt.
-TODO: Delete this and the text above, and describe your gem
+Deal with Cloudflare features in your Ruby app using Rack middleware. Also provides a Ruby toolkit to deal with Cloudflare in other contexts if you'd like.
 ## Installation
@@ -22,13 +20,124 @@ Or install it yourself as:
 ## Usage
-TODO: Write usage instructions here
+### Whitelist Cloudflare IP addresses
+You can block access to non-Cloudflare networks using `Rack::Cloudflare::Middleware::AccessControl`.
+    require 'rack/cloudflare'
+    # In config.ru
+    use Rack::Cloudflare::Middleware::AccessControl
+    # In Rails config/application.rb
+    config.middleware.use Rack::Cloudflare::Middleware::AccessControl
+    # Configure custom blocked message (defaults to "Forbidden")
+    Rack::Cloudflare::Middleware::AccessControl.blocked_message = "You don't belong here..."
+    # Fully customize the Rack response (such as making it a redirect)
+    Rack::Cloudflare::Middleware::AccessControl.blocked_response = lambda do |_env|
+      [301, { 'Location' => 'https://somewhere.else.xyz' }, ["Redirecting...\n"]]
+    end
+Alternatively, using [`Rack::Attack`](https://github.com/kickstarter/rack-attack) you can easily add a "safelist" rule.
+    Rack::Attack.safelist('Only allow requests through the Cloudflare network') do |request|
+      Rack::Cloudflare::Headers.trusted?(request.env)
+    end
+Utilizing the `trusted?` helper method, you can implement a similar check using other middleware.
+See _Toolkits: Detect Cloudflare Requests_ for alternative uses.
+### Rewrite Cloudflare Remote/Client IP address
+You can set `REMOTE_ADDR` to the correct remote IP using `Rack::Cloudflare::Middleware::RewriteHeaders`.
+    require 'rack/cloudflare'
+    # In config.ru
+    use Rack::Cloudflare::Middleware::RewriteHeaders
+    # In Rails config/application.rb
+    config.middleware.use Rack::Cloudflare::Middleware::RewriteHeaders
+You can customize whether rewritten headers should be backed up and what names to use.
+    # Toggle header backups
+    Rack::Cloudflare::Headers.backup = false
+    # Rename backed up headers (defaults: "ORIGINAL_REMOTE_ADDR", "ORIGINAL_FORWARDED_FOR")
+    Rack::Cloudflare::Headers.original_remote_addr   = 'BACKUP_REMOTE_ADDR'
+    Rack::Cloudflare::Headers.original_forwarded_for = 'BACKUP_FORWARDED_FOR'
+See _Toolkits: Rewrite Headers_ for alternative uses.
+### Logging
+You can enable logging to see what requests are blocked or headers are rewritten.
+    Rack::Cloudflare.logger = Logger.new(STDOUT)
+Log levels used are INFO, DEBUG and WARN.
+## Toolkits
+### Detect Cloudflare Requests
+You can very easily check your HTTP headers to see if the request came from a Cloudflare network.
+    # Your headers are in a `Hash` format
+    # e.g. { 'REMOTE_ADDR' => '0.0.0.0', ... }
+    # Verifies the remote address
+    Rack::Cloudflare::Headers.trusted?(headers)
+Note that we can only trust the `REMOTE_ADDR` header to verify a request came from Cloudflare.
+The `HTTP_X_FORWARDED_FOR` header can be modified and therefore not trusted.
+Make sure your web server does not modify `REMOTE_ADDR` because it could cause security holes.
+Read this article, for example: [Anatomy of an Attack: How I Hacked StackOverflow](https://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html)
+### Rewrite Headers
+We can easily rewrite `REMOTE_ADDR` and add `HTTP_X_FORWARDED_FOR` based on verifying the request comes from a Cloudflare network.
+    # Get a list of headers relevant to Cloudflare (unmodified)
+    headers = Rack::Cloudflare::Headers.new(headers).target_headers
+    # Get a list of headers that will be rewritten (modified)
+    headers = Rack::Cloudflare::Headers.new(headers).rewritten_headers
+    # Get a list of headers relevant to Cloudflare with rewritten values
+    headers = Rack::Cloudflare::Headers.new(headers).rewritten_target_headers
+    # Update original headers with rewritten ones
+    headers = Rack::Cloudflare::Headers.new(headers).rewrite
+### Up-to-date Cloudflare IP addresses
+Cloudflare provides a [list of IP addresses](https://www.cloudflare.com/ips/) that are important to keep up-to-date.
+A copy of the IPs are kept in [/data](./data/). The list is converted to a `IPAddr` list and is accessible as:
+    # Configurable list of IPs
+    # Defaults to Rack::Cloudflare::IPs::DEFAULTS
+    Rack::Cloudflare::IPs.list
+The list can be updated to Cloudflare's latest published IP lists in-memory:
+    # Fetches Rack::Cloudflare::IPs::V4_URL and Rack::Cloudflare::IPs::V6_URL
+    Rack::Cloudflare::IPs.refresh!
+    # Updates cached list in-memory
+    Rack::Cloudflare::IPs.list
-## Development
+## Credits
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+Inspired by:
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+* https://github.com/tatey/rack-cloudflare
+* https://github.com/rikas/cloudflare_localizable
 ## Contributing

data/Rakefile CHANGED Viewed

@@ -1,6 +1,31 @@
+# frozen_string_literal: true
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+require 'rubycritic/rake_task'
+RuboCop::RakeTask.new do |task|
+  task.requires << 'rubocop-rspec'
+end
+RubyCritic::RakeTask.new do |task|
+  # # Name of RubyCritic task. Defaults to :rubycritic.
+  # task.name    = 'something_special'
+  # # Glob pattern to match source files. Defaults to FileList['.'].
+  task.paths = FileList['apps/**/*.rb', 'lib/**/*.rb']
+  # # You can pass all the options here in that are shown by "rubycritic -h" except for
+  # # "-p / --path" since that is set separately. Defaults to ''.
+  # task.options = '--mode-ci --format json'
+  # # task.options = '--no-browser'
+  # # Defaults to false
+  task.verbose = true
+end
 RSpec::Core::RakeTask.new(:spec)
-task default: :spec
+# task default: %w[rubocop:auto_correct rubycritic spec]
+task default: %w[rubocop:auto_correct spec]

data/data/ips_v4.txt ADDED Viewed

@@ -0,0 +1,14 @@
+103.21.244.0/22
+103.22.200.0/22
+103.31.4.0/22
+104.16.0.0/12
+108.162.192.0/18
+131.0.72.0/22
+141.101.64.0/18
+162.158.0.0/15
+172.64.0.0/13
+173.245.48.0/20
+188.114.96.0/20
+190.93.240.0/20
+197.234.240.0/22
+198.41.128.0/17

data/data/ips_v6.txt ADDED Viewed

@@ -0,0 +1,6 @@
+2400:cb00::/32
+2405:b500::/32
+2606:4700::/32
+2803:f800::/32
+2c0f:f248::/32
+2a06:98c0::/29

data/lib/rack/cloudflare.rb CHANGED Viewed

@@ -1,8 +1,21 @@
-require 'rack/cloudflare/version'
+# frozen_string_literal: true
+require_relative 'cloudflare/version'
+require_relative 'cloudflare/countries'
+require_relative 'cloudflare/ips'
+require_relative 'cloudflare/headers'
+require_relative 'cloudflare/middleware/access_control'
+require_relative 'cloudflare/middleware/rewrite_headers'
 module Rack
-  # Documentation goes here...
-  module Cloudflare
-    # Your code goes here...
+  class Cloudflare
+    class << self
+      attr_accessor :logger
+      %i[info debug warn error].each do |m|
+        define_method(m) { |*args| logger&.__send__(m, *args) }
+      end
+    end
   end
 end

data/lib/rack/cloudflare/countries.rb ADDED Viewed

@@ -0,0 +1,268 @@
+# frozen_string_literal: true
+module Rack
+  class Cloudflare
+    module Countries
+      def self.[](abbr)
+        LIST.fetch(abbr, UNKNOWN)
+      end
+      DEFAULT = 'XX'
+      UNKNOWN = 'Unknown'
+      LIST = {
+        DEFAULT => UNKNOWN,
+        'AD' => 'Andorra',
+        'AE' => 'United Arab Emirates',
+        'AF' => 'Afghanistan',
+        'AG' => 'Antigua and Barbuda',
+        'AI' => 'Anguilla',
+        'AL' => 'Albania',
+        'AM' => 'Armenia',
+        'AO' => 'Angola',
+        'AQ' => 'Antarctica',
+        'AR' => 'Argentina',
+        'AS' => 'American Samoa',
+        'AT' => 'Austria',
+        'AU' => 'Australia',
+        'AW' => 'Aruba',
+        'AX' => 'Aland Islands',
+        'AZ' => 'Azerbaijan',
+        'BA' => 'Bosnia and Herzegovina',
+        'BB' => 'Barbados',
+        'BD' => 'Bangladesh',
+        'BE' => 'Belgium',
+        'BF' => 'Burkina Faso',
+        'BG' => 'Bulgaria',
+        'BH' => 'Bahrain',
+        'BI' => 'Burundi',
+        'BJ' => 'Benin',
+        'BL' => 'Saint Barthélemy',
+        'BM' => 'Bermuda',
+        'BN' => 'Brunei',
+        'BO' => 'Bolivia',
+        'BQ' => 'Caribbean Netherlands',
+        'BR' => 'Brazil',
+        'BS' => 'The Bahamas',
+        'BT' => 'Bhutan',
+        'BV' => 'Bouvet Island',
+        'BW' => 'Botswana',
+        'BY' => 'Belarus',
+        'BZ' => 'Belize',
+        'CA' => 'Canada',
+        'CC' => 'Cocos (Keeling) Islands',
+        'CD' => 'Democratic Republic of the Congo',
+        'CF' => 'Central African Republic',
+        'CG' => 'Republic of the Congo',
+        'CH' => 'Switzerland',
+        'CI' => "Cote d'Ivoire",
+        'CK' => 'Cook Islands',
+        'CL' => 'Chile',
+        'CM' => 'Cameroon',
+        'CN' => 'China',
+        'CO' => 'Colombia',
+        'CR' => 'Costa Rica',
+        'CU' => 'Cuba',
+        'CV' => 'Cape Verde',
+        'CW' => 'Curaçao',
+        'CX' => 'Christmas Island',
+        'CY' => 'Cyprus',
+        'CZ' => 'Czech Republic',
+        'DE' => 'Germany',
+        'DJ' => 'Djibouti',
+        'DK' => 'Denmark',
+        'DM' => 'Dominica',
+        'DO' => 'Dominican Republic',
+        'DZ' => 'Algeria',
+        'EC' => 'Ecuador',
+        'EE' => 'Estonia',
+        'EG' => 'Egypt',
+        'EH' => 'Western Sahara',
+        'ER' => 'Eritrea',
+        'ES' => 'Spain',
+        'ET' => 'Ethiopia',
+        'FI' => 'Finland',
+        'FJ' => 'Fiji',
+        'FK' => 'Falkland Islands',
+        'FM' => 'Federated States of Micronesia',
+        'FO' => 'Faroe Islands',
+        'FR' => 'France',
+        'GA' => 'Gabon',
+        'GB' => 'United Kingdom',
+        'GD' => 'Grenada',
+        'GE' => 'Georgia',
+        'GF' => 'French Guiana',
+        'GG' => 'Guernsey',
+        'GH' => 'Ghana',
+        'GI' => 'Gibraltar',
+        'GL' => 'Greenland',
+        'GM' => 'The Gambia',
+        'GN' => 'Guinea',
+        'GP' => 'Guadeloupe',
+        'GQ' => 'Equatorial Guinea',
+        'GR' => 'Greece',
+        'GS' => 'South Georgia and the South Sandwich Islands',
+        'GT' => 'Guatemala',
+        'GU' => 'Guam',
+        'GW' => 'Guinea-Bissau',
+        'GY' => 'Guyana',
+        'HK' => 'Hong Kong',
+        'HM' => 'Heard Island and McDonald Islands',
+        'HN' => 'Honduras',
+        'HR' => 'Croatia',
+        'HT' => 'Haiti',
+        'HU' => 'Hungary',
+        'ID' => 'Indonesia',
+        'IE' => 'Republic of Ireland',
+        'IL' => 'Israel',
+        'IM' => 'Isle of Man',
+        'IN' => 'India',
+        'IO' => 'British Indian Ocean Territory',
+        'IQ' => 'Iraq',
+        'IR' => 'Iran',
+        'IS' => 'Iceland',
+        'IT' => 'Italy',
+        'JE' => 'Jersey',
+        'JM' => 'Jamaica',
+        'JO' => 'Jordan',
+        'JP' => 'Japan',
+        'KE' => 'Kenya',
+        'KG' => 'Kyrgyzstan',
+        'KH' => 'Cambodia',
+        'KI' => 'Kiribati',
+        'KM' => 'Comoros',
+        'KN' => 'Saint Kitts and Nevis',
+        'KP' => 'North Korea',
+        'KR' => 'South Korea',
+        'KW' => 'Kuwait',
+        'KY' => 'Cayman Islands',
+        'KZ' => 'Kazakhstan',
+        'LA' => 'Laos',
+        'LB' => 'Lebanon',
+        'LC' => 'Saint Lucia',
+        'LI' => 'Liechtenstein',
+        'LK' => 'Sri Lanka',
+        'LR' => 'Liberia',
+        'LS' => 'Lesotho',
+        'LT' => 'Lithuania',
+        'LU' => 'Luxembourg',
+        'LV' => 'Latvia',
+        'LY' => 'Libya',
+        'MA' => 'Morocco',
+        'MC' => 'Monaco',
+        'MD' => 'Moldova',
+        'ME' => 'Montenegro',
+        'MF' => 'Collectivity of Saint Martin',
+        'MG' => 'Madagascar',
+        'MH' => 'Marshall Islands',
+        'MK' => 'Republic of Macedonia',
+        'ML' => 'Mali',
+        'MM' => 'Myanmar',
+        'MN' => 'Mongolia',
+        'MO' => 'Macau',
+        'MP' => 'Northern Mariana Islands',
+        'MQ' => 'Martinique',
+        'MR' => 'Mauritania',
+        'MS' => 'Montserrat',
+        'MT' => 'Malta',
+        'MU' => 'Mauritius',
+        'MV' => 'Maldives',
+        'MW' => 'Malawi',
+        'MX' => 'Mexico',
+        'MY' => 'Malaysia',
+        'MZ' => 'Mozambique',
+        'NA' => 'Namibia',
+        'NC' => 'New Caledonia',
+        'NE' => 'Niger',
+        'NF' => 'Norfolk Island',
+        'NG' => 'Nigeria',
+        'NI' => 'Nicaragua',
+        'NL' => 'Netherlands',
+        'NO' => 'Norway',
+        'NP' => 'Nepal',
+        'NR' => 'Nauru',
+        'NU' => 'Niue',
+        'NZ' => 'New Zealand',
+        'OM' => 'Oman',
+        'PA' => 'Panama',
+        'PE' => 'Peru',
+        'PF' => 'French Polynesia',
+        'PG' => 'Papua New Guinea',
+        'PH' => 'Philippines',
+        'PK' => 'Pakistan',
+        'PL' => 'Poland',
+        'PM' => 'Saint Pierre and Miquelon',
+        'PN' => 'Pitcairn Islands',
+        'PR' => 'Puerto Rico',
+        'PS' => 'State of Palestine',
+        'PT' => 'Portugal',
+        'PW' => 'Palau',
+        'PY' => 'Paraguay',
+        'QA' => 'Qatar',
+        'RE' => 'Reunion',
+        'RO' => 'Romania',
+        'RS' => 'Serbia',
+        'RU' => 'Russia',
+        'RW' => 'Rwanda',
+        'SA' => 'Saudi Arabia',
+        'SB' => 'Solomon Islands',
+        'SC' => 'Seychelles',
+        'SD' => 'Sudan',
+        'SE' => 'Sweden',
+        'SG' => 'Singapore',
+        'SH' => 'Saint Helena, Ascension and Tristan da Cunha',
+        'SI' => 'Slovenia',
+        'SJ' => 'Svalbard and Jan Mayen',
+        'SK' => 'Slovakia',
+        'SL' => 'Sierra Leone',
+        'SM' => 'San Marino',
+        'SN' => 'Senegal',
+        'SO' => 'Somalia',
+        'SR' => 'Suriname',
+        'SS' => 'South Sudan',
+        'ST' => 'São Tomé and Príncipe',
+        'SV' => 'El Salvador',
+        'SX' => 'Sint Maarten',
+        'SY' => 'Syria',
+        'SZ' => 'Swaziland',
+        'TC' => 'Turks and Caicos Islands',
+        'TD' => 'Chad',
+        'TF' => 'French Southern and Antarctic Lands',
+        'TG' => 'Togo',
+        'TH' => 'Thailand',
+        'TJ' => 'Tajikistan',
+        'TK' => 'Tokelau',
+        'TL' => 'East Timor',
+        'TM' => 'Turkmenistan',
+        'TN' => 'Tunisia',
+        'TO' => 'Tonga',
+        'TR' => 'Turkey',
+        'TT' => 'Trinidad and Tobago',
+        'TV' => 'Tuvalu',
+        'TW' => 'Taiwan',
+        'TZ' => 'Tanzania',
+        'UA' => 'Ukraine',
+        'UG' => 'Uganda',
+        'UM' => 'United States Minor Outlying Islands',
+        'US' => 'United States',
+        'UY' => 'Uruguay',
+        'UZ' => 'Uzbekistan',
+        'VA' => 'Vatican City',
+        'VC' => 'Saint Vincent and the Grenadines',
+        'VE' => 'Venezuela',
+        'VG' => 'British Virgin Islands',
+        'VI' => 'United States Virgin Islands',
+        'VN' => 'Vietnam',
+        'VU' => 'Vanuatu',
+        'WF' => 'Wallis and Futuna',
+        'WS' => 'Samoa',
+        'YE' => 'Yemen',
+        'YT' => 'Mayotte',
+        'ZA' => 'South Africa',
+        'ZM' => 'Zambia',
+        'ZW' => 'Zimbabwe'
+      }.freeze
+    end
+  end
+end

data/lib/rack/cloudflare/headers.rb ADDED Viewed

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+require 'json'
+module Rack
+  class Cloudflare
+    class Headers
+      # See: https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-
+      NAMES = %w[
+        HTTP_CF_IPCOUNTRY
+        HTTP_CF_CONNECTING_IP
+        HTTP_CF_RAY
+        HTTP_CF_VISITOR
+      ].freeze
+      STANDARD = %w[
+        HTTP_X_FORWARDED_FOR
+        HTTP_X_FORWARDED_PROTO
+        REMOTE_ADDR
+      ].freeze
+      ALL = (NAMES + STANDARD).freeze
+      # Create constants for each header
+      ALL.map { |h| const_set h, h.to_s.freeze }.freeze
+      class << self
+        attr_accessor :backup, :original_remote_addr, :original_forwarded_for
+        def trusted?(headers)
+          Headers.new(headers).trusted?
+        end
+      end
+      self.backup                 = true
+      self.original_remote_addr   = 'ORIGINAL_REMOTE_ADDR'
+      self.original_forwarded_for = 'ORIGINAL_FORWARDED_FOR'
+      def initialize(headers)
+        @headers = headers
+      end
+      # "Cf-Ipcountry: US"
+      def ip_country
+        @headers.fetch(HTTP_CF_IPCOUNTRY, 'XX')
+      end
+      # "CF-Connecting-IP: A.B.C.D"
+      def connecting_ip
+        @connecting_ip ||= IPs.parse(@headers[HTTP_CF_CONNECTING_IP]).first
+      end
+      # "X-Forwarded-For: A.B.C.D"
+      # "X-Forwarded-For: A.B.C.D[,X.X.X.X,Y.Y.Y.Y,]"
+      def forwarded_for
+        @forwarded_for ||= IPs.parse(@headers[HTTP_X_FORWARDED_FOR])
+      end
+      # "X-Forwarded-Proto: https"
+      def forwarded_proto
+        @headers[HTTP_X_FORWARDED_PROTO]
+      end
+      # "Cf-Ray: 230b030023ae2822-SJC"
+      def ray
+        @headers[HTTP_CF_RAY]
+      end
+      # "Cf-Visitor: { \"scheme\":\"https\"}"
+      def visitor
+        return unless has?(HTTP_CF_VISITOR)
+        JSON.parse @headers[HTTP_CF_VISITOR]
+      end
+      def remote_addr
+        @remote_addr ||= IPs.parse(@headers[REMOTE_ADDR]).first
+      end
+      # Indicates if the headers passed through Cloudflare
+      def trusted?
+        IPs.list.any? { |range| range.include? remote_addr }
+      end
+      def backup_headers
+        return {} unless Headers.backup
+        {}.tap do |headers|
+          headers[Headers.original_remote_addr]   = @headers[REMOTE_ADDR]
+          headers[Headers.original_forwarded_for] = @headers[HTTP_X_FORWARDED_FOR]
+        end
+      end
+      def rewritten_headers
+        # Only rewrites headers if it's a Cloudflare request
+        return {} unless trusted?
+        {}.tap do |headers|
+          headers.merge! backup_headers
+          # Overwrite the original remote IP based on
+          # Cloudflare's specified original remote IP
+          headers[REMOTE_ADDR] = connecting_ip.to_s if connecting_ip
+          # Add HTTP_X_FORWARDED_FOR if it wasn't present.
+          # Cloudflare will already have modified the header if
+          # it was present in the original request.
+          # See: https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-
+          headers[HTTP_X_FORWARDED_FOR] = "#{connecting_ip}, #{remote_addr}" if forwarded_for.none?
+        end
+      end
+      # Headers that relate to Cloudflare
+      # See: https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-
+      def target_headers
+        @headers.select { |k, _| ALL.include? k }
+      end
+      def rewritten_target_headers
+        target_headers.merge(rewritten_headers)
+      end
+      def rewrite
+        @headers.merge(rewritten_headers)
+      end
+      def has?(header)
+        @headers.key?(header)
+      end
+    end
+  end
+end

data/lib/rack/cloudflare/ips.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+require 'ipaddr'
+require 'net/http'
+module Rack
+  class Cloudflare
+    module IPs
+      # See: https://www.cloudflare.com/ips/
+      V4_URL = 'https://www.cloudflare.com/ips-v4'
+      V6_URL = 'https://www.cloudflare.com/ips-v6'
+      class << self
+        # List of IPs to reference
+        attr_accessor :list
+        # Refresh list of IPs in case local copy is outdated
+        def refresh!
+          self.list = fetch(V4_URL) + fetch(V6_URL)
+        end
+        def fetch(url)
+          parse Net::HTTP.get(URI(url))
+        end
+        def read(filename)
+          parse File.read(filename)
+        end
+        def parse(string)
+          return [] if string.to_s.strip.empty?
+          string.split(/[,\s]+/).map { |ip| IPAddr.new(ip.strip) }
+        end
+      end
+      V4 = read("#{__dir__}/../../../data/ips_v4.txt")
+      V6 = read("#{__dir__}/../../../data/ips_v6.txt")
+      DEFAULTS = V4 + V6
+      ### Configure
+      self.list = DEFAULTS
+    end
+  end
+end

data/lib/rack/cloudflare/middleware/access_control.rb ADDED Viewed

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+module Rack
+  class Cloudflare
+    module Middleware
+      class AccessControl
+        class << self
+          attr_accessor :blocked_response, :blocked_message
+        end
+        self.blocked_message  = 'Forbidden'
+        self.blocked_response = lambda do |_env|
+          [403, { 'Content-Type' => 'text/plain' }, ["#{blocked_message.strip}\n"]]
+        end
+        def initialize(app)
+          @app = app
+        end
+        def call(env)
+          headers = Headers.new(env)
+          if headers.trusted?
+            Cloudflare.info "[#{self.class.name}] Trusted Network (REMOTE_ADDR): #{headers.target_headers}"
+            @app.call(env)
+          else
+            Cloudflare.warn "[#{self.class.name}] Untrusted Network (REMOTE_ADDR): #{headers.target_headers}"
+            AccessControl.blocked_response.call(env)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/cloudflare/middleware/rewrite_headers.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+module Rack
+  class Cloudflare
+    module Middleware
+      class RewriteHeaders
+        def initialize(app)
+          @app = app
+        end
+        def call(env)
+          headers = Headers.new(env)
+          Cloudflare.warn "[#{self.class.name}] Untrusted Network (REMOTE_ADDR): #{headers.target_headers}" unless headers.trusted?
+          Cloudflare.debug "[#{self.class.name}] Target Headers: #{headers.target_headers}"
+          Cloudflare.debug "[#{self.class.name}] Rewritten Headers: #{headers.rewritten_target_headers}"
+          @app.call(headers.rewrite)
+        end
+      end
+    end
+  end
+end

data/lib/rack/cloudflare/version.rb CHANGED Viewed

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
 module Rack
-  module Cloudflare
-    VERSION = '0.1.0'.freeze
+  class Cloudflare
+    VERSION = '1.0.0'
   end
 end

data/rack-cloudflare-0.1.0.gem ADDED Viewed

Binary file

data/rack-cloudflare.gemspec CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'rack/cloudflare/version'
@@ -24,4 +26,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'bundler', '~> 1.16'
   spec.add_development_dependency 'rake',    '~> 10.0'
   spec.add_development_dependency 'rspec',   '~> 3.0'
+  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'rubycritic'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-cloudflare
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Joel Van Horn
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2018-09-13 00:00:00.000000000 Z
+date: 2018-09-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -52,6 +52,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubycritic
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Deal with Cloudflare features in Rack-based apps.
 email:
 - joel@joelvanhorn.com
@@ -61,14 +89,23 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
+- ".rubocop.yml"
 - ".travis.yml"
 - Gemfile
 - README.md
 - Rakefile
 - bin/console
 - bin/setup
+- data/ips_v4.txt
+- data/ips_v6.txt
 - lib/rack/cloudflare.rb
+- lib/rack/cloudflare/countries.rb
+- lib/rack/cloudflare/headers.rb
+- lib/rack/cloudflare/ips.rb
+- lib/rack/cloudflare/middleware/access_control.rb
+- lib/rack/cloudflare/middleware/rewrite_headers.rb
 - lib/rack/cloudflare/version.rb
+- rack-cloudflare-0.1.0.gem
 - rack-cloudflare.gemspec
 homepage: https://github.com/joelvh/rack-cloudflare
 licenses: []