rack-cloudflare_middleware 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e108186bec2a6dff38a2f6fa5edcfd196aa4e2199333a61d8c9a888edf65c3be
-  data.tar.gz: a8e0131c2fd8270784ed1155f114892bc26e3f65bf1eda55a547450bdf272fdb
+  metadata.gz: 1d791a3a095bff874bd6a9f6b400a03d1d9a442417720af6dc504738048f5011
+  data.tar.gz: 75d1b89659db8315982e2ce22020611f4522c9d80b6e25253bf3132d3529babe
 SHA512:
-  metadata.gz: 5762e62571ea9c5dce83039b0616a3074a0ffa0f165430c4cc5dbc5c70ef0d3d34553965abe3f85c3c8e6222f0247290e1acb8a4538538e30bd1b88e6f5bbe7a
-  data.tar.gz: f04fa0b616f69d62f81568dc29c5e0428511a884e774685a6d869dfbef5765c9b0cac577fc42d1f08d747084369a1ff11baba8853cbbc36b71e8fee20e7773b2
+  metadata.gz: 0cd8c07c159038648cd922543f0ab50a764ee99075a02fd4a1a2b6b11c5d8f2f53351f71646790e864e0e3e559f7e28256240ee99512f1b99a710b6577eba1ab
+  data.tar.gz: 8fc4cbc087364618a42298f20bc23a6e46be124db6f509ece22ddb5971d1bda081019b2a479cb563bfb40a21e1d11178a686368cb249b19bc2d57c70cab7661c

data/.github/workflows/ci.yml

@@ -19,9 +19,9 @@ jobs:
         ruby: ["2.7", "3.0", "3.1", "3.2"]
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
       - name: Install Ruby and gems
-        uses: ruby/setup-ruby@93287a1fa82c6ddbb6d8db978df4b0119cd8879f
+        uses: ruby/setup-ruby@904f3fef85a9c80a3750cbe7d5159268fd5caa9f
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby }}
@@ -35,9 +35,9 @@ jobs:
       contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
       - name: Install Ruby and gems
-        uses: ruby/setup-ruby@93287a1fa82c6ddbb6d8db978df4b0119cd8879f
+        uses: ruby/setup-ruby@904f3fef85a9c80a3750cbe7d5159268fd5caa9f
         with:
           bundler-cache: true
           ruby-version: "3.1"
@@ -48,4 +48,4 @@ jobs:
         with:
           python-version: "3.10"
       - name: Run pre-commit
-        uses: pre-commit/action@efd3bcfec120bd343786e46318186153b7bc8c68
+        uses: pre-commit/action@5f528da5c95691c4cf42ff76a4d10854b62cbb82

data/.github/workflows/release.yml

@@ -7,9 +7,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
       - name: Install Ruby and gems
-        uses: ruby/setup-ruby@93287a1fa82c6ddbb6d8db978df4b0119cd8879f
+        uses: ruby/setup-ruby@904f3fef85a9c80a3750cbe7d5159268fd5caa9f
         with:
           bundler-cache: true
           ruby-version: "3.2"

data/CHANGELOG.md

@@ -0,0 +1,10 @@
+v1.1.0 - 2023-03-31
+-------------------
+- Expand requirements to allow using Rack 3.x
+- Add `trust_xff_if_private` kwarg to both middlewares
+- Add `on_fail_proc` to DenyOthers middleware
+- Bump various build-time dependencies
+
+v1.0.0 - 2023-03-31
+-------------------
+- Initial release

data/Gemfile

@@ -4,7 +4,7 @@ source "https://rubygems.org"
 
 gemspec
 
-gem "faraday", "~> 1.0"
+gem "faraday", "~> 2.7"
 gem "rake", "~> 13.0"
 
 group :development, :test do

data/Gemfile.lock

@@ -1,9 +1,9 @@
 PATH
   remote: .
   specs:
-    rack-cloudflare_middleware (1.0.0)
+    rack-cloudflare_middleware (1.1.0)
       faraday (>= 1.0, < 3)
-      rack (~> 2)
+      rack (>= 2, < 4)
 
 GEM
   remote: https://rubygems.org/
@@ -20,34 +20,14 @@ GEM
     crack (0.4.5)
       rexml
     diff-lcs (1.5.0)
-    faraday (1.10.3)
-      faraday-em_http (~> 1.0)
-      faraday-em_synchrony (~> 1.0)
-      faraday-excon (~> 1.1)
-      faraday-httpclient (~> 1.0)
-      faraday-multipart (~> 1.0)
-      faraday-net_http (~> 1.0)
-      faraday-net_http_persistent (~> 1.0)
-      faraday-patron (~> 1.0)
-      faraday-rack (~> 1.0)
-      faraday-retry (~> 1.0)
+    faraday (2.7.4)
+      faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
-    faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.0)
-    faraday-excon (1.1.0)
-    faraday-httpclient (1.0.1)
-    faraday-multipart (1.0.4)
-      multipart-post (~> 2)
-    faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.2.0)
-    faraday-patron (1.0.0)
-    faraday-rack (1.0.0)
-    faraday-retry (1.0.3)
+    faraday-net_http (3.0.2)
     hashdiff (1.0.1)
     json (2.6.3)
     language_server-protocol (3.17.0.3)
     method_source (1.0.0)
-    multipart-post (2.3.0)
     parallel (1.22.1)
     parser (3.2.1.1)
       ast (~> 2.4.1)
@@ -55,7 +35,7 @@ GEM
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (5.0.1)
-    rack (2.2.6.4)
+    rack (3.0.7)
     rack-test (2.1.0)
       rack (>= 1.3)
     rainbow (3.1.1)
@@ -113,7 +93,7 @@ PLATFORMS
 DEPENDENCIES
   bundle-audit (~> 0.1.0)
   bundler (~> 2)
-  faraday (~> 1.0)
+  faraday (~> 2.7)
   pry
   rack-cloudflare_middleware!
   rack-test (~> 2)

data/README.md

@@ -1,5 +1,8 @@
 This is a small Rack middleware for use with the [Cloudflare](https://www.cloudflare.com/) CDN.
 
+[![CI](https://github.com/instrumentl/rack-cloudflare_middleware/actions/workflows/ci.yml/badge.svg)](https://github.com/instrumentl/rack-cloudflare_middleware/actions/workflows/ci.yml)
+[![Gem Version](https://badge.fury.io/rb/rack-cloudflare_middleware.svg)](https://badge.fury.io/rb/rack-cloudflare_middleware)
+
 We include two middlewares:
 
  * `Rack::CloudflareMiddleware::RewriteRemoteAddr` swaps in `CF-Connecting-IP` for `REMOTE_ADDR` if and only if the "real" remote address is a trusted Cloudflare source IP address.
@@ -27,3 +30,16 @@ run Sinatra::Application
 ```
 
 The `allow_private` kwarg to `DenyOthers` controls whether or not private and loopback addresses are allowed through. Whether or not you should set this depends on the exact specifics of your deployment environment; often it should be set in development, but not in production.
+
+`DenyOthers` also takes an `on_fail_proc` kwarg which receives the request environment and should return an appropriate error response (as a standard Rack tuple of `(status, headers, body)`). Example usage:
+
+```ruby
+require "rack/cloudflare_middleware"
+
+use Rack::CloudflareMiddleware::DenyOthers, on_fail_proc: ->(env) do
+  MyLogger.warn "Bad request from #{env["REMOTE_ADDR"]}"
+  [403, {"Content-Type" => "text/plain"}, ["you did a bad thing"]]
+end
+```
+
+Both middlewares also include a convenience called `trust_xff_if_private` mode; this will change them to use the right-most contents of `X-Forwarded-For` as `REMOTE_ADDR` if and only if the actual `REMOTE_ADDR` is a private address. This is a moderately-unsafe option, but may be required if your application provider has made poor choices in routing technologies (and, for example, is required on Heroku). If you're in this state, you should tell your provider to use the PROXY protocol internally instead of `X-Forwarded-For`. There have been many security issues related to Heroku's poor parsing of `X-Forwarded-For` in their router/load-balancer layer, and may be more in the future.

data/lib/rack/cloudflare_middleware/deny_others.rb

@@ -3,20 +3,30 @@
 module Rack
   module CloudflareMiddleware
     class DenyOthers
-      def initialize(app, allow_private: false)
+      def initialize(app, allow_private: false, on_fail_proc: nil, trust_xff_if_private: false)
         @allow_private = allow_private
+        @on_fail_proc = on_fail_proc
+        @trust_xff_if_private = trust_xff_if_private
         @app = app
       end
 
       def call(env)
         TrustedIps.instance.check_update
-        remote_addr = IPAddr.new env["REMOTE_ADDR"]
+        remote_addr = Rack::CloudflareMiddleware.get_remote_addr(env, @trust_xff_if_private)
         if (@allow_private && (remote_addr.private? || remote_addr.loopback?)) || TrustedIps.instance.include?(remote_addr)
           @app.call(env)
+        elsif @on_fail_proc.nil?
+          default_on_fail(remote_addr)
         else
-          ["403", {"Content-Type" => "text/plain"}, ["Forbidden by policy statement"]]
+          @on_fail_proc.call(env)
         end
       end
+
+      private
+
+      def default_on_fail(remote_addr)
+        ["403", {"Content-Type" => "text/plain"}, ["Forbidden by policy statement (#{remote_addr})"]]
+      end
     end
   end
 end

data/lib/rack/cloudflare_middleware/rewrite_remote_addr.rb

@@ -3,15 +3,17 @@
 module Rack
   module CloudflareMiddleware
     class RewriteRemoteAddr
-      def initialize(app)
+      def initialize(app, trust_xff_if_private: false)
+        @trust_xff_if_private = trust_xff_if_private
         @app = app
       end
 
       def call(env)
         TrustedIps.instance.check_update
-        if TrustedIps.instance.include? env["REMOTE_ADDR"]
+        remote_addr = Rack::CloudflareMiddleware.get_remote_addr(env, @trust_xff_if_private)
+        if TrustedIps.instance.include? remote_addr
           unless env["HTTP_CF_CONNECTING_IP"].nil?
-            env["HTTP_CF_ORIGINAL_REMOTE_ADDR"] = env["REMOTE_ADDR"]
+            env["HTTP_CF_ORIGINAL_REMOTE_ADDR"] = remote_addr
             env["REMOTE_ADDR"] = env["HTTP_CF_CONNECTING_IP"]
           end
         end

data/lib/rack/cloudflare_middleware/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   module CloudflareMiddleware
-    VERSION = "1.0.0"
+    VERSION = "1.1.0"
   end
 end

data/lib/rack/cloudflare_middleware.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "ipaddr"
+
 require_relative "cloudflare_middleware/version"
 require_relative "cloudflare_middleware/trusted_ips"
 require_relative "cloudflare_middleware/rewrite_remote_addr"
@@ -7,6 +9,13 @@ require_relative "cloudflare_middleware/deny_others"
 
 module Rack
   module CloudflareMiddleware
-    attr_accessor :logger
+    def self.get_remote_addr(env, trust_xff_if_private)
+      if trust_xff_if_private && IPAddr.new(env["REMOTE_ADDR"]).private? &&
+          !env["HTTP_X_FORWARDED_FOR"].nil? && env["HTTP_X_FORWARDED_FOR"] != ""
+        IPAddr.new(env["HTTP_X_FORWARDED_FOR"].split(",")&.last&.strip)
+      else
+        IPAddr.new(env["REMOTE_ADDR"])
+      end
+    end
   end
 end

data/rack-cloudflare_middleware.gemspec

@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "faraday", ">= 1.0", "< 3"
-  spec.add_dependency "rack", "~> 2"
+  spec.add_dependency "rack", ">= 2", "< 4"
 
   spec.add_development_dependency "bundler", "~> 2"
   spec.add_development_dependency "rake", "~> 13.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-cloudflare_middleware
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - James Brown
@@ -34,16 +34,22 @@ dependencies:
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -113,6 +119,7 @@ files:
 - ".gitignore"
 - ".pre-commit-config.yaml"
 - ".rubocop.yml"
+- CHANGELOG.md
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -144,7 +151,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.1
+rubygems_version: 3.4.10
 signing_key: 
 specification_version: 4
 summary: Rack middleware for handling Cloudflare remote IP headers