rack-cloudflare_middleware 1.1.0 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/dependabot.yml +4 -0
- data/.github/workflows/ci.yml +9 -9
- data/.github/workflows/release.yml +3 -3
- data/.pre-commit-config.yaml +1 -1
- data/CHANGELOG.md +10 -0
- data/Gemfile +1 -1
- data/Gemfile.lock +36 -23
- data/README.md +9 -0
- data/lib/rack/cloudflare_middleware/deny_others.rb +3 -2
- data/lib/rack/cloudflare_middleware/trusted_ips.rb +2 -2
- data/lib/rack/cloudflare_middleware/version.rb +1 -1
- data/rack-cloudflare_middleware.gemspec +2 -0
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 94b610b53380179d91c61ccbbbf7b4c624daf3e8fa35cd27d5af29be5162943f
|
4
|
+
data.tar.gz: e1448c8c0781ce69c42725372a711d3e382f646164ea4d03d5cd10519a3b7d74
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ba708b039e3745945858582255235c6665ba932e3879874f321f006f7d66d193e24d121948c0a5c61d230d361edc20bab8bfa1aaa21eb71b07a91f29bf316fb7
|
7
|
+
data.tar.gz: 96a5395cdc80a1dbe181522b35dbc2868d49ad9b9d2964b895e118323ef2d139ade65caee49403e685e55fdd109ade8093173a102f3288e47bf5574ccb4bdffc
|
data/.github/dependabot.yml
CHANGED
@@ -10,6 +10,8 @@ updates:
|
|
10
10
|
schedule:
|
11
11
|
interval: "weekly"
|
12
12
|
day: "wednesday"
|
13
|
+
reviewers:
|
14
|
+
- instrumentl/code-reviewers
|
13
15
|
labels:
|
14
16
|
- ":robot: dependabot"
|
15
17
|
- ":octocat: github-actions"
|
@@ -23,3 +25,5 @@ updates:
|
|
23
25
|
- ":robot: dependabot"
|
24
26
|
- ":gem: ruby"
|
25
27
|
- ":heavy_plus_sign: dependencies"
|
28
|
+
reviewers:
|
29
|
+
- instrumentl/code-reviewers
|
data/.github/workflows/ci.yml
CHANGED
@@ -16,12 +16,12 @@ jobs:
|
|
16
16
|
strategy:
|
17
17
|
fail-fast: true
|
18
18
|
matrix:
|
19
|
-
ruby: ["2.7", "3.0", "3.1", "3.2"]
|
19
|
+
ruby: ["2.7", "3.0", "3.1", "3.2", "3.3"]
|
20
20
|
steps:
|
21
21
|
- name: Checkout code
|
22
|
-
uses: actions/checkout@
|
22
|
+
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
|
23
23
|
- name: Install Ruby and gems
|
24
|
-
uses: ruby/setup-ruby@
|
24
|
+
uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677
|
25
25
|
with:
|
26
26
|
bundler-cache: true
|
27
27
|
ruby-version: ${{ matrix.ruby }}
|
@@ -35,17 +35,17 @@ jobs:
|
|
35
35
|
contents: read
|
36
36
|
steps:
|
37
37
|
- name: Checkout code
|
38
|
-
uses: actions/checkout@
|
38
|
+
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
|
39
39
|
- name: Install Ruby and gems
|
40
|
-
uses: ruby/setup-ruby@
|
40
|
+
uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677
|
41
41
|
with:
|
42
42
|
bundler-cache: true
|
43
|
-
ruby-version: "3.
|
43
|
+
ruby-version: "3.3"
|
44
44
|
- name: Bundle Audit Check
|
45
45
|
run: bundle exec bundle-audit update && bundle exec bundle-audit check
|
46
46
|
- name: Setup Python
|
47
|
-
uses: actions/setup-python@
|
47
|
+
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
|
48
48
|
with:
|
49
|
-
python-version: "3.
|
49
|
+
python-version: "3.12"
|
50
50
|
- name: Run pre-commit
|
51
|
-
uses: pre-commit/action@
|
51
|
+
uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd
|
@@ -7,12 +7,12 @@ jobs:
|
|
7
7
|
runs-on: ubuntu-latest
|
8
8
|
steps:
|
9
9
|
- name: Checkout code
|
10
|
-
uses: actions/checkout@
|
10
|
+
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
|
11
11
|
- name: Install Ruby and gems
|
12
|
-
uses: ruby/setup-ruby@
|
12
|
+
uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677
|
13
13
|
with:
|
14
14
|
bundler-cache: true
|
15
|
-
ruby-version: "3.
|
15
|
+
ruby-version: "3.3"
|
16
16
|
- name: Publish gem
|
17
17
|
run: |
|
18
18
|
umask 077
|
data/.pre-commit-config.yaml
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,13 @@
|
|
1
|
+
v1.2.1 - 2024-02-23
|
2
|
+
-------------------
|
3
|
+
- Update cloudflare trusted IP URL to include new required trailing slash
|
4
|
+
- Many dependabot bumps
|
5
|
+
|
6
|
+
v1.2.0 - 2023-06-05
|
7
|
+
-------------------
|
8
|
+
- Set `required_ruby_version` in the gemspec
|
9
|
+
- Add `trusted_request_proc` kwarg to DenyOthers middleware
|
10
|
+
|
1
11
|
v1.1.0 - 2023-03-31
|
2
12
|
-------------------
|
3
13
|
- Expand requirements to allow using Rack 3.x
|
data/Gemfile
CHANGED
data/Gemfile.lock
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
rack-cloudflare_middleware (1.1
|
4
|
+
rack-cloudflare_middleware (1.2.1)
|
5
5
|
faraday (>= 1.0, < 3)
|
6
6
|
rack (>= 2, < 4)
|
7
7
|
|
8
8
|
GEM
|
9
9
|
remote: https://rubygems.org/
|
10
10
|
specs:
|
11
|
-
addressable (2.8.
|
11
|
+
addressable (2.8.5)
|
12
12
|
public_suffix (>= 2.0.2, < 6.0)
|
13
13
|
ast (2.4.2)
|
14
14
|
bundle-audit (0.1.0)
|
@@ -20,28 +20,31 @@ GEM
|
|
20
20
|
crack (0.4.5)
|
21
21
|
rexml
|
22
22
|
diff-lcs (1.5.0)
|
23
|
-
faraday (2.7.
|
23
|
+
faraday (2.7.10)
|
24
24
|
faraday-net_http (>= 2.0, < 3.1)
|
25
25
|
ruby2_keywords (>= 0.0.4)
|
26
26
|
faraday-net_http (3.0.2)
|
27
27
|
hashdiff (1.0.1)
|
28
|
-
json (2.
|
28
|
+
json (2.7.1)
|
29
29
|
language_server-protocol (3.17.0.3)
|
30
|
+
lint_roller (1.1.0)
|
30
31
|
method_source (1.0.0)
|
31
|
-
parallel (1.
|
32
|
-
parser (3.
|
32
|
+
parallel (1.24.0)
|
33
|
+
parser (3.3.0.5)
|
33
34
|
ast (~> 2.4.1)
|
35
|
+
racc
|
34
36
|
pry (0.14.2)
|
35
37
|
coderay (~> 1.1)
|
36
38
|
method_source (~> 1.0)
|
37
|
-
public_suffix (5.0.
|
38
|
-
|
39
|
+
public_suffix (5.0.3)
|
40
|
+
racc (1.7.3)
|
41
|
+
rack (3.0.9.1)
|
39
42
|
rack-test (2.1.0)
|
40
43
|
rack (>= 1.3)
|
41
44
|
rainbow (3.1.1)
|
42
45
|
rake (13.0.6)
|
43
|
-
regexp_parser (2.
|
44
|
-
rexml (3.2.
|
46
|
+
regexp_parser (2.9.0)
|
47
|
+
rexml (3.2.6)
|
45
48
|
rspec (3.12.0)
|
46
49
|
rspec-core (~> 3.12.0)
|
47
50
|
rspec-expectations (~> 3.12.0)
|
@@ -58,36 +61,46 @@ GEM
|
|
58
61
|
diff-lcs (>= 1.2.0, < 2.0)
|
59
62
|
rspec-support (~> 3.12.0)
|
60
63
|
rspec-support (3.12.0)
|
61
|
-
rubocop (1.
|
64
|
+
rubocop (1.60.2)
|
62
65
|
json (~> 2.3)
|
66
|
+
language_server-protocol (>= 3.17.0)
|
63
67
|
parallel (~> 1.10)
|
64
|
-
parser (>= 3.
|
68
|
+
parser (>= 3.3.0.2)
|
65
69
|
rainbow (>= 2.2.2, < 4.0)
|
66
70
|
regexp_parser (>= 1.8, < 3.0)
|
67
71
|
rexml (>= 3.2.5, < 4.0)
|
68
|
-
rubocop-ast (>= 1.
|
72
|
+
rubocop-ast (>= 1.30.0, < 2.0)
|
69
73
|
ruby-progressbar (~> 1.7)
|
70
74
|
unicode-display_width (>= 2.4.0, < 3.0)
|
71
|
-
rubocop-ast (1.
|
75
|
+
rubocop-ast (1.30.0)
|
72
76
|
parser (>= 3.2.1.0)
|
73
|
-
rubocop-performance (1.
|
74
|
-
rubocop (>= 1.
|
75
|
-
rubocop-ast (>=
|
77
|
+
rubocop-performance (1.20.2)
|
78
|
+
rubocop (>= 1.48.1, < 2.0)
|
79
|
+
rubocop-ast (>= 1.30.0, < 2.0)
|
76
80
|
ruby-progressbar (1.13.0)
|
77
81
|
ruby2_keywords (0.0.5)
|
78
|
-
standard (1.
|
82
|
+
standard (1.34.0)
|
79
83
|
language_server-protocol (~> 3.17.0.2)
|
80
|
-
|
81
|
-
rubocop
|
84
|
+
lint_roller (~> 1.0)
|
85
|
+
rubocop (~> 1.60)
|
86
|
+
standard-custom (~> 1.0.0)
|
87
|
+
standard-performance (~> 1.3)
|
88
|
+
standard-custom (1.0.2)
|
89
|
+
lint_roller (~> 1.0)
|
90
|
+
rubocop (~> 1.50)
|
91
|
+
standard-performance (1.3.1)
|
92
|
+
lint_roller (~> 1.1)
|
93
|
+
rubocop-performance (~> 1.20.2)
|
82
94
|
thor (1.2.1)
|
83
|
-
unicode-display_width (2.
|
84
|
-
webmock (3.
|
95
|
+
unicode-display_width (2.5.0)
|
96
|
+
webmock (3.19.1)
|
85
97
|
addressable (>= 2.8.0)
|
86
98
|
crack (>= 0.3.2)
|
87
99
|
hashdiff (>= 0.4.0, < 2.0.0)
|
88
100
|
|
89
101
|
PLATFORMS
|
90
102
|
arm64-darwin-22
|
103
|
+
arm64-darwin-23
|
91
104
|
x86_64-linux
|
92
105
|
|
93
106
|
DEPENDENCIES
|
@@ -101,7 +114,7 @@ DEPENDENCIES
|
|
101
114
|
rspec (~> 3.0)
|
102
115
|
rspec-its (~> 1.3)
|
103
116
|
standard (~> 1)
|
104
|
-
webmock (~> 3.
|
117
|
+
webmock (~> 3.19)
|
105
118
|
|
106
119
|
BUNDLED WITH
|
107
120
|
2.4.7
|
data/README.md
CHANGED
@@ -42,4 +42,13 @@ use Rack::CloudflareMiddleware::DenyOthers, on_fail_proc: ->(env) do
|
|
42
42
|
end
|
43
43
|
```
|
44
44
|
|
45
|
+
`DenyOthers` also takes a `trusted_request_proc` which receives a `Rack::Request` object and should return a boolean of whether or not the request is to be allowed through regardless of Source IP. This is primarily intended for healthchecks. Example usage:
|
46
|
+
|
47
|
+
```ruby
|
48
|
+
require "rack/cloudflare_middleware"
|
49
|
+
use Rack::CloudflareMiddleware::DenyOthers, trusted_request_proc: ->(request) do
|
50
|
+
request.path.start_with? "/health/check"
|
51
|
+
end
|
52
|
+
```
|
53
|
+
|
45
54
|
Both middlewares also include a convenience called `trust_xff_if_private` mode; this will change them to use the right-most contents of `X-Forwarded-For` as `REMOTE_ADDR` if and only if the actual `REMOTE_ADDR` is a private address. This is a moderately-unsafe option, but may be required if your application provider has made poor choices in routing technologies (and, for example, is required on Heroku). If you're in this state, you should tell your provider to use the PROXY protocol internally instead of `X-Forwarded-For`. There have been many security issues related to Heroku's poor parsing of `X-Forwarded-For` in their router/load-balancer layer, and may be more in the future.
|
@@ -3,8 +3,9 @@
|
|
3
3
|
module Rack
|
4
4
|
module CloudflareMiddleware
|
5
5
|
class DenyOthers
|
6
|
-
def initialize(app, allow_private: false, on_fail_proc: nil, trust_xff_if_private: false)
|
6
|
+
def initialize(app, allow_private: false, trusted_request_proc: nil, on_fail_proc: nil, trust_xff_if_private: false)
|
7
7
|
@allow_private = allow_private
|
8
|
+
@trusted_request_proc = trusted_request_proc
|
8
9
|
@on_fail_proc = on_fail_proc
|
9
10
|
@trust_xff_if_private = trust_xff_if_private
|
10
11
|
@app = app
|
@@ -13,7 +14,7 @@ module Rack
|
|
13
14
|
def call(env)
|
14
15
|
TrustedIps.instance.check_update
|
15
16
|
remote_addr = Rack::CloudflareMiddleware.get_remote_addr(env, @trust_xff_if_private)
|
16
|
-
if (@allow_private && (remote_addr.private? || remote_addr.loopback?)) || TrustedIps.instance.include?(remote_addr)
|
17
|
+
if (@allow_private && (remote_addr.private? || remote_addr.loopback?)) || TrustedIps.instance.include?(remote_addr) || @trusted_request_proc&.call(Rack::Request.new(env))
|
17
18
|
@app.call(env)
|
18
19
|
elsif @on_fail_proc.nil?
|
19
20
|
default_on_fail(remote_addr)
|
@@ -40,8 +40,8 @@ module Rack
|
|
40
40
|
end
|
41
41
|
|
42
42
|
def update!
|
43
|
-
read_network "https://www.cloudflare.com/ips-v4", 4
|
44
|
-
read_network "https://www.cloudflare.com/ips-v6", 6
|
43
|
+
read_network "https://www.cloudflare.com/ips-v4/", 4
|
44
|
+
read_network "https://www.cloudflare.com/ips-v6/", 6
|
45
45
|
end
|
46
46
|
|
47
47
|
def check_update
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-cloudflare_middleware
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.1
|
4
|
+
version: 1.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- James Brown
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-02-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: faraday
|
@@ -144,14 +144,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
144
144
|
requirements:
|
145
145
|
- - ">="
|
146
146
|
- !ruby/object:Gem::Version
|
147
|
-
version: '
|
147
|
+
version: '2.7'
|
148
148
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
149
149
|
requirements:
|
150
150
|
- - ">="
|
151
151
|
- !ruby/object:Gem::Version
|
152
152
|
version: '0'
|
153
153
|
requirements: []
|
154
|
-
rubygems_version: 3.
|
154
|
+
rubygems_version: 3.5.3
|
155
155
|
signing_key:
|
156
156
|
specification_version: 4
|
157
157
|
summary: Rack middleware for handling Cloudflare remote IP headers
|