rack-cloudflare 0.1.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d361e00dd386a7ee04f14083033478613234cf3595d3fcd2305293dda78f43d2
-  data.tar.gz: 2d51e3ee954d38f99db080f28d82206a6d3156b1f8de7f1a4dd8e44328979c16
+  metadata.gz: 6c8a5b0439022d396fd56721e79b97a96c4cf830b0e37c27a4a9f6f2db2f8bd0
+  data.tar.gz: d3866b5cfcce96211b25ae277b5e5280f3f38e0eb5f78d291c23d2a08cf84715
 SHA512:
-  metadata.gz: '0318856bf3ad9182b7a22de5a5cb14a8b79ae55c7cb40c68329ba044820a1dcd69b3103ae47b6f4ac727a0f90e405d810a0d61c8b523e41a0b74170791cc300d'
-  data.tar.gz: 3d871d3ad152afed37a1ca788602e570f601e25d301d73a9c141cfc12464988b080972a935e4f51b5620c6ea710a471f9f57de975285768980b24e56c5d5df6e
+  metadata.gz: 8ea482f40489690a5f368f0e21a9aad7fbc59dc76517b351b635ff53064ac8a1339ecc4c3129047967d5bdbafa259aa11a4b79314ea52ebe78b63d3bf031e9f4
+  data.tar.gz: 40709bddc477ccd842dd50318827c4af50bbc7cf5a0b8ee58304e0e0d0d736b5fdd04b8b6f81692eb45f82b9a04492c4cb63001e6089490ab8e1cb8ee217b2a4

data/.gitignore

@@ -9,3 +9,5 @@
 
 # rspec failure tracking
 .rspec_status
+
+Gemfile.lock

data/.rubocop.yml

@@ -0,0 +1,43 @@
+AllCops:
+  TargetRubyVersion: 2.5.1
+  # Rails: true
+  # Include:
+  #   - '**/Rakefile'
+  #   - '**/config.ru'
+  Exclude:
+    - 'doc/**/*'
+    - 'tmp/**/*'
+    - 'bin/**/*'
+    - 'db/**/*'
+    - 'test/**/*'
+    - 'config/**/*'
+    - 'script/**/*'
+    - 'vendor/**/*'
+    - 'spec/**/*'
+    - !ruby/regexp /old_and_unused\.rb$/
+
+# Style/WhileUntilModifier:
+#   MaxLineLength: 160
+
+# Style/IfUnlessModifier:
+#   MaxLineLength: 160
+
+Metrics/LineLength:
+  Max: 160
+
+Metrics/AbcSize:
+  Max: 120
+
+Metrics/MethodLength:
+  CountComments: false  # count full line comments?
+  Max: 120
+
+NumericPredicate:
+  EnforcedStyle: comparison
+
+Style/Documentation:
+  Enabled: false
+
+Metrics/ModuleLength:
+  Exclude:
+    - 'lib/rack/cloudflare/countries.rb'

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }

data/README.md

@@ -1,8 +1,6 @@
 # Rack::Cloudflare
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/rack/cloudflare`. To experiment with that code, run `bin/console` for an interactive prompt.
-
-TODO: Delete this and the text above, and describe your gem
+Deal with Cloudflare features in your Ruby app using Rack middleware. Also provides a Ruby toolkit to deal with Cloudflare in other contexts if you'd like.
 
 ## Installation
 
@@ -22,13 +20,124 @@ Or install it yourself as:
 
 ## Usage
 
-TODO: Write usage instructions here
+### Whitelist Cloudflare IP addresses
+
+You can block access to non-Cloudflare networks using `Rack::Cloudflare::Middleware::AccessControl`.
+
+    require 'rack/cloudflare'
+
+    # In config.ru
+    use Rack::Cloudflare::Middleware::AccessControl
+
+    # In Rails config/application.rb
+    config.middleware.use Rack::Cloudflare::Middleware::AccessControl
+
+    # Configure custom blocked message (defaults to "Forbidden")
+    Rack::Cloudflare::Middleware::AccessControl.blocked_message = "You don't belong here..."
+
+    # Fully customize the Rack response (such as making it a redirect)
+    Rack::Cloudflare::Middleware::AccessControl.blocked_response = lambda do |_env|
+      [301, { 'Location' => 'https://somewhere.else.xyz' }, ["Redirecting...\n"]]
+    end
+
+Alternatively, using [`Rack::Attack`](https://github.com/kickstarter/rack-attack) you can easily add a "safelist" rule.
+
+    Rack::Attack.safelist('Only allow requests through the Cloudflare network') do |request|
+      Rack::Cloudflare::Headers.trusted?(request.env)
+    end
+
+Utilizing the `trusted?` helper method, you can implement a similar check using other middleware.
+
+See _Toolkits: Detect Cloudflare Requests_ for alternative uses.
+
+### Rewrite Cloudflare Remote/Client IP address
+
+You can set `REMOTE_ADDR` to the correct remote IP using `Rack::Cloudflare::Middleware::RewriteHeaders`.
+
+    require 'rack/cloudflare'
+
+    # In config.ru
+    use Rack::Cloudflare::Middleware::RewriteHeaders
+
+    # In Rails config/application.rb
+    config.middleware.use Rack::Cloudflare::Middleware::RewriteHeaders
+
+You can customize whether rewritten headers should be backed up and what names to use.
+
+    # Toggle header backups
+    Rack::Cloudflare::Headers.backup = false
+
+    # Rename backed up headers (defaults: "ORIGINAL_REMOTE_ADDR", "ORIGINAL_FORWARDED_FOR")
+    Rack::Cloudflare::Headers.original_remote_addr   = 'BACKUP_REMOTE_ADDR'
+    Rack::Cloudflare::Headers.original_forwarded_for = 'BACKUP_FORWARDED_FOR'
+
+See _Toolkits: Rewrite Headers_ for alternative uses.
+
+### Logging
+
+You can enable logging to see what requests are blocked or headers are rewritten.
+
+    Rack::Cloudflare.logger = Logger.new(STDOUT)
+
+Log levels used are INFO, DEBUG and WARN.
+
+## Toolkits
+
+### Detect Cloudflare Requests
+
+You can very easily check your HTTP headers to see if the request came from a Cloudflare network.
+
+    # Your headers are in a `Hash` format
+    # e.g. { 'REMOTE_ADDR' => '0.0.0.0', ... }
+    # Verifies the remote address
+    Rack::Cloudflare::Headers.trusted?(headers)
+
+Note that we can only trust the `REMOTE_ADDR` header to verify a request came from Cloudflare.
+The `HTTP_X_FORWARDED_FOR` header can be modified and therefore not trusted.
+
+Make sure your web server does not modify `REMOTE_ADDR` because it could cause security holes.
+Read this article, for example: [Anatomy of an Attack: How I Hacked StackOverflow](https://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html)
+
+### Rewrite Headers
+
+We can easily rewrite `REMOTE_ADDR` and add `HTTP_X_FORWARDED_FOR` based on verifying the request comes from a Cloudflare network.
+
+    # Get a list of headers relevant to Cloudflare (unmodified)
+    headers = Rack::Cloudflare::Headers.new(headers).target_headers
+
+    # Get a list of headers that will be rewritten (modified)
+    headers = Rack::Cloudflare::Headers.new(headers).rewritten_headers
+
+    # Get a list of headers relevant to Cloudflare with rewritten values
+    headers = Rack::Cloudflare::Headers.new(headers).rewritten_target_headers
+
+    # Update original headers with rewritten ones
+    headers = Rack::Cloudflare::Headers.new(headers).rewrite
+
+### Up-to-date Cloudflare IP addresses
+
+Cloudflare provides a [list of IP addresses](https://www.cloudflare.com/ips/) that are important to keep up-to-date.
+
+A copy of the IPs are kept in [/data](./data/). The list is converted to a `IPAddr` list and is accessible as:
+
+    # Configurable list of IPs
+    # Defaults to Rack::Cloudflare::IPs::DEFAULTS
+    Rack::Cloudflare::IPs.list
+
+The list can be updated to Cloudflare's latest published IP lists in-memory:
+
+    # Fetches Rack::Cloudflare::IPs::V4_URL and Rack::Cloudflare::IPs::V6_URL
+    Rack::Cloudflare::IPs.refresh!
+
+    # Updates cached list in-memory
+    Rack::Cloudflare::IPs.list
 
-## Development
+## Credits
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+Inspired by:
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+* https://github.com/tatey/rack-cloudflare
+* https://github.com/rikas/cloudflare_localizable
 
 ## Contributing
 

data/Rakefile

@@ -1,6 +1,31 @@
+# frozen_string_literal: true
+
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+require 'rubycritic/rake_task'
+
+RuboCop::RakeTask.new do |task|
+  task.requires << 'rubocop-rspec'
+end
+
+RubyCritic::RakeTask.new do |task|
+  # # Name of RubyCritic task. Defaults to :rubycritic.
+  # task.name    = 'something_special'
+
+  # # Glob pattern to match source files. Defaults to FileList['.'].
+  task.paths = FileList['apps/**/*.rb', 'lib/**/*.rb']
+
+  # # You can pass all the options here in that are shown by "rubycritic -h" except for
+  # # "-p / --path" since that is set separately. Defaults to ''.
+  # task.options = '--mode-ci --format json'
+  # # task.options = '--no-browser'
+
+  # # Defaults to false
+  task.verbose = true
+end
 
 RSpec::Core::RakeTask.new(:spec)
 
-task default: :spec
+# task default: %w[rubocop:auto_correct rubycritic spec]
+task default: %w[rubocop:auto_correct spec]

data/data/ips_v4.txt

@@ -0,0 +1,14 @@
+103.21.244.0/22
+103.22.200.0/22
+103.31.4.0/22
+104.16.0.0/12
+108.162.192.0/18
+131.0.72.0/22
+141.101.64.0/18
+162.158.0.0/15
+172.64.0.0/13
+173.245.48.0/20
+188.114.96.0/20
+190.93.240.0/20
+197.234.240.0/22
+198.41.128.0/17

data/data/ips_v6.txt

@@ -0,0 +1,6 @@
+2400:cb00::/32
+2405:b500::/32
+2606:4700::/32
+2803:f800::/32
+2c0f:f248::/32
+2a06:98c0::/29

data/lib/rack/cloudflare.rb

@@ -1,8 +1,21 @@
-require 'rack/cloudflare/version'
+# frozen_string_literal: true
+
+require_relative 'cloudflare/version'
+require_relative 'cloudflare/countries'
+require_relative 'cloudflare/ips'
+require_relative 'cloudflare/headers'
+
+require_relative 'cloudflare/middleware/access_control'
+require_relative 'cloudflare/middleware/rewrite_headers'
 
 module Rack
-  # Documentation goes here...
-  module Cloudflare
-    # Your code goes here...
+  class Cloudflare
+    class << self
+      attr_accessor :logger
+
+      %i[info debug warn error].each do |m|
+        define_method(m) { |*args| logger&.__send__(m, *args) }
+      end
+    end
   end
 end

data/lib/rack/cloudflare/countries.rb

@@ -0,0 +1,268 @@
+# frozen_string_literal: true
+
+module Rack
+  class Cloudflare
+    module Countries
+      def self.[](abbr)
+        LIST.fetch(abbr, UNKNOWN)
+      end
+
+      DEFAULT = 'XX'
+      UNKNOWN = 'Unknown'
+
+      LIST = {
+        DEFAULT => UNKNOWN,
+
+        'AD' => 'Andorra',
+        'AE' => 'United Arab Emirates',
+        'AF' => 'Afghanistan',
+        'AG' => 'Antigua and Barbuda',
+        'AI' => 'Anguilla',
+        'AL' => 'Albania',
+        'AM' => 'Armenia',
+        'AO' => 'Angola',
+        'AQ' => 'Antarctica',
+        'AR' => 'Argentina',
+        'AS' => 'American Samoa',
+        'AT' => 'Austria',
+        'AU' => 'Australia',
+        'AW' => 'Aruba',
+        'AX' => 'Aland Islands',
+        'AZ' => 'Azerbaijan',
+        'BA' => 'Bosnia and Herzegovina',
+        'BB' => 'Barbados',
+        'BD' => 'Bangladesh',
+        'BE' => 'Belgium',
+        'BF' => 'Burkina Faso',
+        'BG' => 'Bulgaria',
+        'BH' => 'Bahrain',
+        'BI' => 'Burundi',
+        'BJ' => 'Benin',
+        'BL' => 'Saint Barthélemy',
+        'BM' => 'Bermuda',
+        'BN' => 'Brunei',
+        'BO' => 'Bolivia',
+        'BQ' => 'Caribbean Netherlands',
+        'BR' => 'Brazil',
+        'BS' => 'The Bahamas',
+        'BT' => 'Bhutan',
+        'BV' => 'Bouvet Island',
+        'BW' => 'Botswana',
+        'BY' => 'Belarus',
+        'BZ' => 'Belize',
+        'CA' => 'Canada',
+        'CC' => 'Cocos (Keeling) Islands',
+        'CD' => 'Democratic Republic of the Congo',
+        'CF' => 'Central African Republic',
+        'CG' => 'Republic of the Congo',
+        'CH' => 'Switzerland',
+        'CI' => "Cote d'Ivoire",
+        'CK' => 'Cook Islands',
+        'CL' => 'Chile',
+        'CM' => 'Cameroon',
+        'CN' => 'China',
+        'CO' => 'Colombia',
+        'CR' => 'Costa Rica',
+        'CU' => 'Cuba',
+        'CV' => 'Cape Verde',
+        'CW' => 'Curaçao',
+        'CX' => 'Christmas Island',
+        'CY' => 'Cyprus',
+        'CZ' => 'Czech Republic',
+        'DE' => 'Germany',
+        'DJ' => 'Djibouti',
+        'DK' => 'Denmark',
+        'DM' => 'Dominica',
+        'DO' => 'Dominican Republic',
+        'DZ' => 'Algeria',
+        'EC' => 'Ecuador',
+        'EE' => 'Estonia',
+        'EG' => 'Egypt',
+        'EH' => 'Western Sahara',
+        'ER' => 'Eritrea',
+        'ES' => 'Spain',
+        'ET' => 'Ethiopia',
+        'FI' => 'Finland',
+        'FJ' => 'Fiji',
+        'FK' => 'Falkland Islands',
+        'FM' => 'Federated States of Micronesia',
+        'FO' => 'Faroe Islands',
+        'FR' => 'France',
+        'GA' => 'Gabon',
+        'GB' => 'United Kingdom',
+        'GD' => 'Grenada',
+        'GE' => 'Georgia',
+        'GF' => 'French Guiana',
+        'GG' => 'Guernsey',
+        'GH' => 'Ghana',
+        'GI' => 'Gibraltar',
+        'GL' => 'Greenland',
+        'GM' => 'The Gambia',
+        'GN' => 'Guinea',
+        'GP' => 'Guadeloupe',
+        'GQ' => 'Equatorial Guinea',
+        'GR' => 'Greece',
+        'GS' => 'South Georgia and the South Sandwich Islands',
+        'GT' => 'Guatemala',
+        'GU' => 'Guam',
+        'GW' => 'Guinea-Bissau',
+        'GY' => 'Guyana',
+        'HK' => 'Hong Kong',
+        'HM' => 'Heard Island and McDonald Islands',
+        'HN' => 'Honduras',
+        'HR' => 'Croatia',
+        'HT' => 'Haiti',
+        'HU' => 'Hungary',
+        'ID' => 'Indonesia',
+        'IE' => 'Republic of Ireland',
+        'IL' => 'Israel',
+        'IM' => 'Isle of Man',
+        'IN' => 'India',
+        'IO' => 'British Indian Ocean Territory',
+        'IQ' => 'Iraq',
+        'IR' => 'Iran',
+        'IS' => 'Iceland',
+        'IT' => 'Italy',
+        'JE' => 'Jersey',
+        'JM' => 'Jamaica',
+        'JO' => 'Jordan',
+        'JP' => 'Japan',
+        'KE' => 'Kenya',
+        'KG' => 'Kyrgyzstan',
+        'KH' => 'Cambodia',
+        'KI' => 'Kiribati',
+        'KM' => 'Comoros',
+        'KN' => 'Saint Kitts and Nevis',
+        'KP' => 'North Korea',
+        'KR' => 'South Korea',
+        'KW' => 'Kuwait',
+        'KY' => 'Cayman Islands',
+        'KZ' => 'Kazakhstan',
+        'LA' => 'Laos',
+        'LB' => 'Lebanon',
+        'LC' => 'Saint Lucia',
+        'LI' => 'Liechtenstein',
+        'LK' => 'Sri Lanka',
+        'LR' => 'Liberia',
+        'LS' => 'Lesotho',
+        'LT' => 'Lithuania',
+        'LU' => 'Luxembourg',
+        'LV' => 'Latvia',
+        'LY' => 'Libya',
+        'MA' => 'Morocco',
+        'MC' => 'Monaco',
+        'MD' => 'Moldova',
+        'ME' => 'Montenegro',
+        'MF' => 'Collectivity of Saint Martin',
+        'MG' => 'Madagascar',
+        'MH' => 'Marshall Islands',
+        'MK' => 'Republic of Macedonia',
+        'ML' => 'Mali',
+        'MM' => 'Myanmar',
+        'MN' => 'Mongolia',
+        'MO' => 'Macau',
+        'MP' => 'Northern Mariana Islands',
+        'MQ' => 'Martinique',
+        'MR' => 'Mauritania',
+        'MS' => 'Montserrat',
+        'MT' => 'Malta',
+        'MU' => 'Mauritius',
+        'MV' => 'Maldives',
+        'MW' => 'Malawi',
+        'MX' => 'Mexico',
+        'MY' => 'Malaysia',
+        'MZ' => 'Mozambique',
+        'NA' => 'Namibia',
+        'NC' => 'New Caledonia',
+        'NE' => 'Niger',
+        'NF' => 'Norfolk Island',
+        'NG' => 'Nigeria',
+        'NI' => 'Nicaragua',
+        'NL' => 'Netherlands',
+        'NO' => 'Norway',
+        'NP' => 'Nepal',
+        'NR' => 'Nauru',
+        'NU' => 'Niue',
+        'NZ' => 'New Zealand',
+        'OM' => 'Oman',
+        'PA' => 'Panama',
+        'PE' => 'Peru',
+        'PF' => 'French Polynesia',
+        'PG' => 'Papua New Guinea',
+        'PH' => 'Philippines',
+        'PK' => 'Pakistan',
+        'PL' => 'Poland',
+        'PM' => 'Saint Pierre and Miquelon',
+        'PN' => 'Pitcairn Islands',
+        'PR' => 'Puerto Rico',
+        'PS' => 'State of Palestine',
+        'PT' => 'Portugal',
+        'PW' => 'Palau',
+        'PY' => 'Paraguay',
+        'QA' => 'Qatar',
+        'RE' => 'Reunion',
+        'RO' => 'Romania',
+        'RS' => 'Serbia',
+        'RU' => 'Russia',
+        'RW' => 'Rwanda',
+        'SA' => 'Saudi Arabia',
+        'SB' => 'Solomon Islands',
+        'SC' => 'Seychelles',
+        'SD' => 'Sudan',
+        'SE' => 'Sweden',
+        'SG' => 'Singapore',
+        'SH' => 'Saint Helena, Ascension and Tristan da Cunha',
+        'SI' => 'Slovenia',
+        'SJ' => 'Svalbard and Jan Mayen',
+        'SK' => 'Slovakia',
+        'SL' => 'Sierra Leone',
+        'SM' => 'San Marino',
+        'SN' => 'Senegal',
+        'SO' => 'Somalia',
+        'SR' => 'Suriname',
+        'SS' => 'South Sudan',
+        'ST' => 'São Tomé and Príncipe',
+        'SV' => 'El Salvador',
+        'SX' => 'Sint Maarten',
+        'SY' => 'Syria',
+        'SZ' => 'Swaziland',
+        'TC' => 'Turks and Caicos Islands',
+        'TD' => 'Chad',
+        'TF' => 'French Southern and Antarctic Lands',
+        'TG' => 'Togo',
+        'TH' => 'Thailand',
+        'TJ' => 'Tajikistan',
+        'TK' => 'Tokelau',
+        'TL' => 'East Timor',
+        'TM' => 'Turkmenistan',
+        'TN' => 'Tunisia',
+        'TO' => 'Tonga',
+        'TR' => 'Turkey',
+        'TT' => 'Trinidad and Tobago',
+        'TV' => 'Tuvalu',
+        'TW' => 'Taiwan',
+        'TZ' => 'Tanzania',
+        'UA' => 'Ukraine',
+        'UG' => 'Uganda',
+        'UM' => 'United States Minor Outlying Islands',
+        'US' => 'United States',
+        'UY' => 'Uruguay',
+        'UZ' => 'Uzbekistan',
+        'VA' => 'Vatican City',
+        'VC' => 'Saint Vincent and the Grenadines',
+        'VE' => 'Venezuela',
+        'VG' => 'British Virgin Islands',
+        'VI' => 'United States Virgin Islands',
+        'VN' => 'Vietnam',
+        'VU' => 'Vanuatu',
+        'WF' => 'Wallis and Futuna',
+        'WS' => 'Samoa',
+        'YE' => 'Yemen',
+        'YT' => 'Mayotte',
+        'ZA' => 'South Africa',
+        'ZM' => 'Zambia',
+        'ZW' => 'Zimbabwe'
+      }.freeze
+    end
+  end
+end

data/lib/rack/cloudflare/headers.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Rack
+  class Cloudflare
+    class Headers
+      # See: https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-
+      NAMES = %w[
+        HTTP_CF_IPCOUNTRY
+        HTTP_CF_CONNECTING_IP
+        HTTP_CF_RAY
+        HTTP_CF_VISITOR
+      ].freeze
+
+      STANDARD = %w[
+        HTTP_X_FORWARDED_FOR
+        HTTP_X_FORWARDED_PROTO
+        REMOTE_ADDR
+      ].freeze
+
+      ALL = (NAMES + STANDARD).freeze
+
+      # Create constants for each header
+      ALL.map { |h| const_set h, h.to_s.freeze }.freeze
+
+      class << self
+        attr_accessor :backup, :original_remote_addr, :original_forwarded_for
+
+        def trusted?(headers)
+          Headers.new(headers).trusted?
+        end
+      end
+
+      self.backup                 = true
+      self.original_remote_addr   = 'ORIGINAL_REMOTE_ADDR'
+      self.original_forwarded_for = 'ORIGINAL_FORWARDED_FOR'
+
+      def initialize(headers)
+        @headers = headers
+      end
+
+      # "Cf-Ipcountry: US"
+      def ip_country
+        @headers.fetch(HTTP_CF_IPCOUNTRY, 'XX')
+      end
+
+      # "CF-Connecting-IP: A.B.C.D"
+      def connecting_ip
+        @connecting_ip ||= IPs.parse(@headers[HTTP_CF_CONNECTING_IP]).first
+      end
+
+      # "X-Forwarded-For: A.B.C.D"
+      # "X-Forwarded-For: A.B.C.D[,X.X.X.X,Y.Y.Y.Y,]"
+      def forwarded_for
+        @forwarded_for ||= IPs.parse(@headers[HTTP_X_FORWARDED_FOR])
+      end
+
+      # "X-Forwarded-Proto: https"
+      def forwarded_proto
+        @headers[HTTP_X_FORWARDED_PROTO]
+      end
+
+      # "Cf-Ray: 230b030023ae2822-SJC"
+      def ray
+        @headers[HTTP_CF_RAY]
+      end
+
+      # "Cf-Visitor: { \"scheme\":\"https\"}"
+      def visitor
+        return unless has?(HTTP_CF_VISITOR)
+        JSON.parse @headers[HTTP_CF_VISITOR]
+      end
+
+      def remote_addr
+        @remote_addr ||= IPs.parse(@headers[REMOTE_ADDR]).first
+      end
+
+      # Indicates if the headers passed through Cloudflare
+      def trusted?
+        IPs.list.any? { |range| range.include? remote_addr }
+      end
+
+      def backup_headers
+        return {} unless Headers.backup
+
+        {}.tap do |headers|
+          headers[Headers.original_remote_addr]   = @headers[REMOTE_ADDR]
+          headers[Headers.original_forwarded_for] = @headers[HTTP_X_FORWARDED_FOR]
+        end
+      end
+
+      def rewritten_headers
+        # Only rewrites headers if it's a Cloudflare request
+        return {} unless trusted?
+
+        {}.tap do |headers|
+          headers.merge! backup_headers
+
+          # Overwrite the original remote IP based on
+          # Cloudflare's specified original remote IP
+          headers[REMOTE_ADDR] = connecting_ip.to_s if connecting_ip
+
+          # Add HTTP_X_FORWARDED_FOR if it wasn't present.
+          # Cloudflare will already have modified the header if
+          # it was present in the original request.
+          # See: https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-
+          headers[HTTP_X_FORWARDED_FOR] = "#{connecting_ip}, #{remote_addr}" if forwarded_for.none?
+        end
+      end
+
+      # Headers that relate to Cloudflare
+      # See: https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-
+      def target_headers
+        @headers.select { |k, _| ALL.include? k }
+      end
+
+      def rewritten_target_headers
+        target_headers.merge(rewritten_headers)
+      end
+
+      def rewrite
+        @headers.merge(rewritten_headers)
+      end
+
+      def has?(header)
+        @headers.key?(header)
+      end
+    end
+  end
+end

data/lib/rack/cloudflare/ips.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'ipaddr'
+require 'net/http'
+
+module Rack
+  class Cloudflare
+    module IPs
+      # See: https://www.cloudflare.com/ips/
+      V4_URL = 'https://www.cloudflare.com/ips-v4'
+      V6_URL = 'https://www.cloudflare.com/ips-v6'
+
+      class << self
+        # List of IPs to reference
+        attr_accessor :list
+
+        # Refresh list of IPs in case local copy is outdated
+        def refresh!
+          self.list = fetch(V4_URL) + fetch(V6_URL)
+        end
+
+        def fetch(url)
+          parse Net::HTTP.get(URI(url))
+        end
+
+        def read(filename)
+          parse File.read(filename)
+        end
+
+        def parse(string)
+          return [] if string.to_s.strip.empty?
+          string.split(/[,\s]+/).map { |ip| IPAddr.new(ip.strip) }
+        end
+      end
+
+      V4 = read("#{__dir__}/../../../data/ips_v4.txt")
+      V6 = read("#{__dir__}/../../../data/ips_v6.txt")
+
+      DEFAULTS = V4 + V6
+
+      ### Configure
+
+      self.list = DEFAULTS
+    end
+  end
+end

data/lib/rack/cloudflare/middleware/access_control.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Rack
+  class Cloudflare
+    module Middleware
+      class AccessControl
+        class << self
+          attr_accessor :blocked_response, :blocked_message
+        end
+
+        self.blocked_message  = 'Forbidden'
+        self.blocked_response = lambda do |_env|
+          [403, { 'Content-Type' => 'text/plain' }, ["#{blocked_message.strip}\n"]]
+        end
+
+        def initialize(app)
+          @app = app
+        end
+
+        def call(env)
+          headers = Headers.new(env)
+
+          if headers.trusted?
+            Cloudflare.info "[#{self.class.name}] Trusted Network (REMOTE_ADDR): #{headers.target_headers}"
+            @app.call(env)
+          else
+            Cloudflare.warn "[#{self.class.name}] Untrusted Network (REMOTE_ADDR): #{headers.target_headers}"
+            AccessControl.blocked_response.call(env)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/cloudflare/middleware/rewrite_headers.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Rack
+  class Cloudflare
+    module Middleware
+      class RewriteHeaders
+        def initialize(app)
+          @app = app
+        end
+
+        def call(env)
+          headers = Headers.new(env)
+
+          Cloudflare.warn "[#{self.class.name}] Untrusted Network (REMOTE_ADDR): #{headers.target_headers}" unless headers.trusted?
+          Cloudflare.debug "[#{self.class.name}] Target Headers: #{headers.target_headers}"
+          Cloudflare.debug "[#{self.class.name}] Rewritten Headers: #{headers.rewritten_target_headers}"
+
+          @app.call(headers.rewrite)
+        end
+      end
+    end
+  end
+end

data/lib/rack/cloudflare/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module Rack
-  module Cloudflare
-    VERSION = '0.1.0'.freeze
+  class Cloudflare
+    VERSION = '1.0.0'
   end
 end

data/rack-cloudflare.gemspec

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'rack/cloudflare/version'
@@ -24,4 +26,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'bundler', '~> 1.16'
   spec.add_development_dependency 'rake',    '~> 10.0'
   spec.add_development_dependency 'rspec',   '~> 3.0'
+  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'rubycritic'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-cloudflare
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Joel Van Horn
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-09-13 00:00:00.000000000 Z
+date: 2018-09-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -52,6 +52,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubycritic
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Deal with Cloudflare features in Rack-based apps.
 email:
 - joel@joelvanhorn.com
@@ -61,14 +89,23 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
+- ".rubocop.yml"
 - ".travis.yml"
 - Gemfile
 - README.md
 - Rakefile
 - bin/console
 - bin/setup
+- data/ips_v4.txt
+- data/ips_v6.txt
 - lib/rack/cloudflare.rb
+- lib/rack/cloudflare/countries.rb
+- lib/rack/cloudflare/headers.rb
+- lib/rack/cloudflare/ips.rb
+- lib/rack/cloudflare/middleware/access_control.rb
+- lib/rack/cloudflare/middleware/rewrite_headers.rb
 - lib/rack/cloudflare/version.rb
+- rack-cloudflare-0.1.0.gem
 - rack-cloudflare.gemspec
 homepage: https://github.com/joelvh/rack-cloudflare
 licenses: []