rack-cloudflare 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +2 -1
- data/README.md +62 -44
- data/Rakefile +1 -1
- data/lib/rack/cloudflare/headers.rb +1 -1
- data/lib/rack/cloudflare/ips.rb +3 -3
- data/lib/rack/cloudflare/version.rb +1 -1
- metadata +1 -2
- data/rack-cloudflare-0.1.0.gem +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 226fb49f7f04f287c5ad80d37f92547073049bc1d222054a082a09f2eb85d7e0
|
4
|
+
data.tar.gz: 2b196672e8bca43dfcd22f920ec69fc7250b71fced112aee3d01729c1b40976c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a9c0b7967fa66302c86268e9f80d5e1eece2401b95e4ab0b6b1b91ab41070e4fed3ee554385fe6f5f34cdea8a5a809fa731ebaa6c0ce0ad114c8f2a020bdc285
|
7
|
+
data.tar.gz: 220c954ca1c7779bc811831168cfa15e44c72268917b3b8576eecc6b2794297c03a722a135fdb6710ae3e80d87a5f39d48fdbf46e1a729e4cf74a8a06ed3d212
|
data/.gitignore
CHANGED
data/README.md
CHANGED
@@ -24,27 +24,31 @@ Or install it yourself as:
|
|
24
24
|
|
25
25
|
You can block access to non-Cloudflare networks using `Rack::Cloudflare::Middleware::AccessControl`.
|
26
26
|
|
27
|
-
|
27
|
+
```ruby
|
28
|
+
require 'rack/cloudflare'
|
28
29
|
|
29
|
-
|
30
|
-
|
30
|
+
# In config.ru
|
31
|
+
use Rack::Cloudflare::Middleware::AccessControl
|
31
32
|
|
32
|
-
|
33
|
-
|
33
|
+
# In Rails config/application.rb
|
34
|
+
config.middleware.use Rack::Cloudflare::Middleware::AccessControl
|
34
35
|
|
35
|
-
|
36
|
-
|
36
|
+
# Configure custom blocked message (defaults to "Forbidden")
|
37
|
+
Rack::Cloudflare::Middleware::AccessControl.blocked_message = "You don't belong here..."
|
37
38
|
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
39
|
+
# Fully customize the Rack response (such as making it a redirect)
|
40
|
+
Rack::Cloudflare::Middleware::AccessControl.blocked_response = lambda do |_env|
|
41
|
+
[301, { 'Location' => 'https://somewhere.else.xyz' }, ["Redirecting...\n"]]
|
42
|
+
end
|
43
|
+
```
|
42
44
|
|
43
45
|
Alternatively, using [`Rack::Attack`](https://github.com/kickstarter/rack-attack) you can easily add a "safelist" rule.
|
44
46
|
|
45
|
-
|
46
|
-
|
47
|
-
|
47
|
+
```ruby
|
48
|
+
Rack::Attack.safelist('Only allow requests through the Cloudflare network') do |request|
|
49
|
+
Rack::Cloudflare::Headers.trusted?(request.env)
|
50
|
+
end
|
51
|
+
```
|
48
52
|
|
49
53
|
Utilizing the `trusted?` helper method, you can implement a similar check using other middleware.
|
50
54
|
|
@@ -54,22 +58,26 @@ See _Toolkits: Detect Cloudflare Requests_ for alternative uses.
|
|
54
58
|
|
55
59
|
You can set `REMOTE_ADDR` to the correct remote IP using `Rack::Cloudflare::Middleware::RewriteHeaders`.
|
56
60
|
|
57
|
-
|
61
|
+
```ruby
|
62
|
+
require 'rack/cloudflare'
|
58
63
|
|
59
|
-
|
60
|
-
|
64
|
+
# In config.ru
|
65
|
+
use Rack::Cloudflare::Middleware::RewriteHeaders
|
61
66
|
|
62
|
-
|
63
|
-
|
67
|
+
# In Rails config/application.rb
|
68
|
+
config.middleware.use Rack::Cloudflare::Middleware::RewriteHeaders
|
69
|
+
```
|
64
70
|
|
65
71
|
You can customize whether rewritten headers should be backed up and what names to use.
|
66
72
|
|
67
|
-
|
68
|
-
|
73
|
+
```ruby
|
74
|
+
# Toggle header backups (default: true)
|
75
|
+
Rack::Cloudflare::Headers.backup = false
|
69
76
|
|
70
|
-
|
71
|
-
|
72
|
-
|
77
|
+
# Rename backed up headers (defaults: "ORIGINAL_REMOTE_ADDR", "ORIGINAL_FORWARDED_FOR")
|
78
|
+
Rack::Cloudflare::Headers.original_remote_addr = 'BACKUP_REMOTE_ADDR'
|
79
|
+
Rack::Cloudflare::Headers.original_forwarded_for = 'BACKUP_FORWARDED_FOR'
|
80
|
+
```
|
73
81
|
|
74
82
|
See _Toolkits: Rewrite Headers_ for alternative uses.
|
75
83
|
|
@@ -77,7 +85,9 @@ See _Toolkits: Rewrite Headers_ for alternative uses.
|
|
77
85
|
|
78
86
|
You can enable logging to see what requests are blocked or headers are rewritten.
|
79
87
|
|
80
|
-
|
88
|
+
```ruby
|
89
|
+
Rack::Cloudflare.logger = Logger.new(STDOUT)
|
90
|
+
```
|
81
91
|
|
82
92
|
Log levels used are INFO, DEBUG and WARN.
|
83
93
|
|
@@ -87,10 +97,12 @@ Log levels used are INFO, DEBUG and WARN.
|
|
87
97
|
|
88
98
|
You can very easily check your HTTP headers to see if the request came from a Cloudflare network.
|
89
99
|
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
100
|
+
```ruby
|
101
|
+
# Your headers are in a `Hash` format
|
102
|
+
# e.g. { 'REMOTE_ADDR' => '0.0.0.0', ... }
|
103
|
+
# Verifies the remote address
|
104
|
+
Rack::Cloudflare::Headers.trusted?(headers)
|
105
|
+
```
|
94
106
|
|
95
107
|
Note that we can only trust the `REMOTE_ADDR` header to verify a request came from Cloudflare.
|
96
108
|
The `HTTP_X_FORWARDED_FOR` header can be modified and therefore not trusted.
|
@@ -102,17 +114,19 @@ Read this article, for example: [Anatomy of an Attack: How I Hacked StackOverflo
|
|
102
114
|
|
103
115
|
We can easily rewrite `REMOTE_ADDR` and add `HTTP_X_FORWARDED_FOR` based on verifying the request comes from a Cloudflare network.
|
104
116
|
|
105
|
-
|
106
|
-
|
117
|
+
```ruby
|
118
|
+
# Get a list of headers relevant to Cloudflare (unmodified)
|
119
|
+
headers = Rack::Cloudflare::Headers.new(headers).target_headers
|
107
120
|
|
108
|
-
|
109
|
-
|
121
|
+
# Get a list of headers that will be rewritten (modified)
|
122
|
+
headers = Rack::Cloudflare::Headers.new(headers).rewritten_headers
|
110
123
|
|
111
|
-
|
112
|
-
|
124
|
+
# Get a list of headers relevant to Cloudflare with rewritten values
|
125
|
+
headers = Rack::Cloudflare::Headers.new(headers).rewritten_target_headers
|
113
126
|
|
114
|
-
|
115
|
-
|
127
|
+
# Update original headers with rewritten ones
|
128
|
+
headers = Rack::Cloudflare::Headers.new(headers).rewrite
|
129
|
+
```
|
116
130
|
|
117
131
|
### Up-to-date Cloudflare IP addresses
|
118
132
|
|
@@ -120,17 +134,21 @@ Cloudflare provides a [list of IP addresses](https://www.cloudflare.com/ips/) th
|
|
120
134
|
|
121
135
|
A copy of the IPs are kept in [/data](./data/). The list is converted to a `IPAddr` list and is accessible as:
|
122
136
|
|
123
|
-
|
124
|
-
|
125
|
-
|
137
|
+
```ruby
|
138
|
+
# Configurable list of IPs
|
139
|
+
# Defaults to Rack::Cloudflare::IPs::DEFAULTS
|
140
|
+
Rack::Cloudflare::IPs.list
|
141
|
+
```
|
126
142
|
|
127
143
|
The list can be updated to Cloudflare's latest published IP lists in-memory:
|
128
144
|
|
129
|
-
|
130
|
-
|
145
|
+
```ruby
|
146
|
+
# Fetches Rack::Cloudflare::IPs::V4_URL and Rack::Cloudflare::IPs::V6_URL
|
147
|
+
Rack::Cloudflare::IPs.refresh!
|
131
148
|
|
132
|
-
|
133
|
-
|
149
|
+
# Updates cached list in-memory
|
150
|
+
Rack::Cloudflare::IPs.list
|
151
|
+
```
|
134
152
|
|
135
153
|
## Credits
|
136
154
|
|
data/Rakefile
CHANGED
@@ -14,7 +14,7 @@ RubyCritic::RakeTask.new do |task|
|
|
14
14
|
# task.name = 'something_special'
|
15
15
|
|
16
16
|
# # Glob pattern to match source files. Defaults to FileList['.'].
|
17
|
-
task.paths = FileList['
|
17
|
+
task.paths = FileList['lib/**/*.rb']
|
18
18
|
|
19
19
|
# # You can pass all the options here in that are shown by "rubycritic -h" except for
|
20
20
|
# # "-p / --path" since that is set separately. Defaults to ''.
|
data/lib/rack/cloudflare/ips.rb
CHANGED
@@ -20,16 +20,16 @@ module Rack
|
|
20
20
|
end
|
21
21
|
|
22
22
|
def fetch(url)
|
23
|
-
parse Net::HTTP.get(URI(url))
|
23
|
+
parse ::Net::HTTP.get(URI(url))
|
24
24
|
end
|
25
25
|
|
26
26
|
def read(filename)
|
27
|
-
parse File.read(filename)
|
27
|
+
parse ::File.read(filename)
|
28
28
|
end
|
29
29
|
|
30
30
|
def parse(string)
|
31
31
|
return [] if string.to_s.strip.empty?
|
32
|
-
string.split(/[,\s]+/).map { |ip| IPAddr.new(ip.strip) }
|
32
|
+
string.split(/[,\s]+/).map { |ip| ::IPAddr.new(ip.strip) }
|
33
33
|
end
|
34
34
|
end
|
35
35
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-cloudflare
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Joel Van Horn
|
@@ -105,7 +105,6 @@ files:
|
|
105
105
|
- lib/rack/cloudflare/middleware/access_control.rb
|
106
106
|
- lib/rack/cloudflare/middleware/rewrite_headers.rb
|
107
107
|
- lib/rack/cloudflare/version.rb
|
108
|
-
- rack-cloudflare-0.1.0.gem
|
109
108
|
- rack-cloudflare.gemspec
|
110
109
|
homepage: https://github.com/joelvh/rack-cloudflare
|
111
110
|
licenses: []
|
data/rack-cloudflare-0.1.0.gem
DELETED
Binary file
|