rack-dedos 0.1.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69f8976f9ee4fc15e9c0b3915020919fa72014acb8577933a5bdcd02b674570c
-  data.tar.gz: 31bbb973f18eee8e22ed576a12846f6443d1ab2106fa3b8a1cdf6b52cc374464
+  metadata.gz: 44d58ef342f579aa4245e7e3f8dd41b505f576331c6bb5f65d4c7b6e5e07e74f
+  data.tar.gz: 6b63cf01106e9f09d2fea0daee7691b0d263fcdc48e4c7b44bcf04144c4468b4
 SHA512:
-  metadata.gz: f506c9e93a4eb859a79c74c2053e493455aa13ebe8487fc42650a59bdb3e65da862b02cfab1cbfc54cb2186e340e014547bf6df4caf4f0afe2eae7233f3c9c1a
-  data.tar.gz: 9a18dfe754ea786cbef049ec91a11108fb36c272ce954190331612089412957f3056f0635f6bf520a60ff0ab3373678067f6fcc5a7cf4e05799b170a6139a26f
+  metadata.gz: cb872c5c6d1a339bbf62220fdd1c179349ed28d266d291fdca4013527039e5290539a5e60adee88c570e87de0b04a93ac808a99103f5faeda4d5616acaf88995
+  data.tar.gz: eedf962195f3eacea34330bfc4b158263ee15d57684a18f6bd48aa26a78e49e92fa73fcb96ec043e18e1b96dfcfbd586c5117cd805b8c3b96e2f3b52d14982e0

checksums.yaml.gz.sig

@@ -1,2 +1,2 @@
-�n
-
�.�D�j��v����=0��91[�⅑E��"g�({[�n��:�s�fqSc���+����c�Ș��58j���`�j�~ur��sn�-�m�P@���#D�.�p�!%`W�{3qw���$|�3�Dݴ��nJR�ڥW�ߦ��CΘ�2��k9>|����c�e@�K6��I뒢�y�,��*C���il�G�:I�zk��X��G��HP�VK��$�_��s�}8b0�L�JX9����4@��R]:
+^细�-*��T:F�����t�+
+A+�����

data/CHANGELOG.md

@@ -2,6 +2,20 @@
 
 Nothing so far
 
+## 0.2.1
+
+#### Fixes
+
+* Fix paths on conditional requires
+* Renew certificate
+
+## 0.2.0
+
+#### Changes
+
+* Determine real client IP
+* Drop autoload and put filters in proper namespace
+
 ## 0.1.0
 
 #### Initial implementation

data/README.md

@@ -1,7 +1,7 @@
 [![Version](https://img.shields.io/gem/v/rack-dedos.svg?style=flat)](https://rubygems.org/gems/rack-dedos)
 [![Tests](https://img.shields.io/github/actions/workflow/status/svoop/rack-dedos/test.yml?style=flat&label=tests)](https://github.com/svoop/rack-dedos/actions?workflow=Test)
 [![Code Climate](https://img.shields.io/codeclimate/maintainability/svoop/rack-dedos.svg?style=flat)](https://codeclimate.com/github/svoop/rack-dedos/)
-[![Donorbox](https://img.shields.io/badge/donate-on_donorbox-yellow.svg)](https://donorbox.org/bitcetera)
+[![GitHub Sponsors](https://img.shields.io/github/sponsors/svoop.svg)](https://github.com/sponsors/svoop)
 
 <img src="https://github.com/svoop/rack-dedos/raw/main/doc/chop-chop.png" alt="chop-chop" align="right">
 
@@ -15,6 +15,8 @@ The filters have been proven to work against certain DoS attacks, however, they
 * [API](https://www.rubydoc.info/gems/rack-dedos)
 * Author: [Sven Schwyn - Bitcetera](https://bitcetera.com)
 
+Thank you for supporting free and open-source software by sponsoring on [GitHub](https://github.com/sponsors/svoop) or on [Donorbox](https://donorbox.com/bitcetera). Any gesture is appreciated, from a single Euro for a ☕️ cup of coffee to 🍹 early retirement.
+
 ## Install
 
 ### Security
@@ -83,11 +85,11 @@ use Rack::Dedos,
 
 ## Filters
 
-By default, all filters described below are applied. You can exclude exclude certain filters:
+By default, all filters described below are applied. You can exclude certain filters:
 
 ```ruby
 use Rack::Dedos,
-  exclude: [:user_agent]
+  except: [:user_agent]
 ```
 
 To only apply one specific filter, use the corresponding class as shown below.
@@ -95,7 +97,7 @@ To only apply one specific filter, use the corresponding class as shown below.
 ### User Agent Filter
 
 ```ruby
-use Rack::Dedos::UserAgent,
+use Rack::Dedos::Filters::UserAgent,
   cache_url: 'redis://redis.example.com:6379/12',   # db 12 on default port
   cache_key_prefix: 'dedos',   # key prefix for shared caches (default: nil)
   cache_period: 1800   # seconds (default: 900)
@@ -111,7 +113,7 @@ The following cache backends are supported:
 ### Country Filter
 
 ```ruby
-use Rack::Dedos::Country,
+use Rack::Dedos::Filters::Country,
   maxmind_db_file: '/var/db/maxmind/GeoLite2-Country.mmdb',
   allowed_countries: %i(AT CH DE),
   denied_countries: %i(RU)
@@ -137,6 +139,21 @@ tar -xz -C /tmp -f /tmp/geoipupdate.tgz
 /tmp/geoipupdate_${version}_${arch}/geoipupdate -f "${conf}" -d "${dir}"
 ```
 
+## Real Client IP
+
+A word on how the real client IP is determined. Both Rack 2 and Rack 3 (up to 3.0.7 at the time of writing) may populate the request `ip` incorrectly. Here's what a minimalistic Rack app deloyed to Render (behind Cloudflare) reports:
+
+> request.ip = 172.71.135.17<br>
+> request.forwarded_for = ["81.XXX.XXX.XXX", "172.71.135.17", "10.201.229.136"]
+
+Obviously, the reported IP 172.71.135.17 is not the real client IP, the correct one is the (redacted) 81.XXX.XXX.XXX.
+
+Due to this flaw, Rack::Dedos determines the real client IP as follows in order of priority:
+
+1. [`Cf-Connecting-Ip` header](https://developers.cloudflare.com/fundamentals/get-started/reference/http-request-headers/#cf-connecting-ip)
+2. First entry of the [`X-Forwarded-For` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
+3. [`ip` reported by Rack](https://github.com/rack/rack/blob/main/lib/rack/request.rb)
+
 ## Development
 
 For all required test fixtures to be present, you have to check out the repo

data/lib/rack/dedos/filters/base.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Rack
+  module Dedos
+    module Filters
+      class Base
+
+        DEFAULT_OPTIONS = {
+          status: 403,
+          text: 'Forbidden (Temporarily Blocked by Rules)'
+        }
+
+        attr_reader :app
+        attr_reader :options
+
+        # @param app [#call]
+        # @param options [Hash{Symbol => Object}]
+        def initialize(app, options = {})
+          @app = app
+          @options = DEFAULT_OPTIONS.merge(options)
+        end
+
+        def call(env)
+          request = Rack::Request.new(env)
+          ip = real_ip(request)
+          if allowed?(request, ip)
+            app.call(env)
+          else
+            warn("rack-dedos: request from #{ip} blocked by #{self.class} `#{@country_code.inspect}'")
+            [options[:status], { 'Content-Type' => 'text/plain' }, [options[:text]]]
+          end
+        end
+
+        private
+
+        def config
+          Rack::Dedos.config
+        end
+
+        # Get the real IP of the client
+        #
+        # If containers and/or proxies such as Cloudflare are in the mix, the
+        # client IP reported by Rack may be wrong. Therefore, we determine the
+        # real client IP using the following priorities:
+        #
+        # 1. Cf-Connecting-Ip header
+        # 2. X-Forwarded-For header (also remove port number)
+        # 3. IP reported by Rack
+        #
+        # @param request [Rack::Request]
+        # @return [String] real client IP
+        def real_ip(request)
+          case
+          when ip = request.get_header('HTTP_CF_CONNECTING_IP')
+            ip
+          when forwarded_for = request.forwarded_for
+            forwarded_for.split(/\s*,\s*/).first&.sub(/:\d+$/, '')
+          else
+            request.ip
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/rack/dedos/filters/country.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'maxmind/db'
+
+module Rack
+  module Dedos
+    module Filters
+      class Country < Base
+
+        # @option options [String] :maxmind_db_file MaxMind database file
+        # @option options [Symbol, Array<Symbol>] :allowed_countries ISO 3166-1 alpha 2
+        # @option options [Symbol, Array<Symbol>] :denied_countries ISO 3166-1 alpha 2
+        def initialize(*)
+          super
+          @maxmind_db_file = options[:maxmind_db_file] or fail "MaxMind database file not set"
+          @allowed = case
+            when @countries = options[:allowed_countries] then true
+            when @countries = options[:denied_countries] then false
+            else fail "neither allowed nor denied countries set"
+          end
+          maxmind_db   # hit once to fail on errors at boot
+        end
+
+        def allowed?(request, ip)
+          if country = maxmind_db.get(ip)
+            country_code = country.dig('country', 'iso_code').to_sym
+            @countries.include?(country_code) ? @allowed : !@allowed
+          else   # not found in database
+            true
+          end
+        rescue => error
+          warn("rack-dedos: request from #{ip} allowed due to error: #{error.message}")
+          true
+        end
+
+        private
+
+        def maxmind_db
+          config[:maxmind_db] ||= MaxMind::DB.new(
+            @maxmind_db_file,
+            mode: MaxMind::DB::MODE_FILE
+          )
+        end
+
+      end
+    end
+  end
+end

data/lib/rack/dedos/filters/user_agent.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Rack
+  module Dedos
+    module Filters
+      class UserAgent < Base
+
+        # @option options [String] :cache_url URL of the cache backend
+        # @option options [Integer] :cache_period how long to retain cached IP
+        #   addresses in seconds (default: 900)
+        def initialize(*)
+          super
+          @cache_url = options[:cache_url] or fail "cache URL not set"
+          @cache_period = options[:cache_period] || 900
+          @cache_key_prefix = options[:cache_key_prefix]
+          cache   # hit once to fail on errors at boot
+        end
+
+        def allowed?(request, ip)
+          case cache.get(ip)
+          when nil              # first contact
+            cache.set(ip, request.user_agent)
+            true
+          when 'BLOCKED'        # already blocked
+            false
+          when request.user_agent   # user agent hasn't changed
+            true
+          else                  # user agent has changed
+            cache.set(ip, 'BLOCKED')
+            false
+          end
+        rescue => error
+          warn("rack-dedos: request from #{ip} allowed due to error: #{error.message}")
+          true
+        end
+
+        private
+
+        def cache
+          config[:cache] ||= Cache.new(
+            url: @cache_url,
+            expires_in: @cache_period,
+            key_prefix: @cache_key_prefix
+          )
+        end
+
+      end
+    end
+  end
+end

data/lib/rack/dedos/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   module Dedos
-    VERSION = "0.1.0"
+    VERSION = "0.2.1"
   end
 end

data/lib/rack/dedos.rb

@@ -6,11 +6,9 @@ require_relative 'dedos/version'
 
 module Rack
   module Dedos
-    lib_dir = ::File.expand_path(::File.dirname(__FILE__))
-    autoload :Cache, lib_dir + '/dedos/cache'
-    autoload :Base, lib_dir + '/dedos/base'
-    autoload :UserAgent, lib_dir + '/dedos/user_agent'
-    autoload :Country, lib_dir + '/dedos/country'
+
+    require_relative 'dedos/cache'
+    require_relative 'dedos/filters/base'
 
     class << self
       def config
@@ -21,8 +19,14 @@ module Rack
         except = Array options[:except]
 
         Rack::Builder.new do
-          use(::Rack::Dedos::UserAgent, options) unless except.include? :user_agent
-          use(::Rack::Dedos::Country, options) unless except.include? :country
+          unless except.include? :user_agent
+            require_relative 'dedos/filters/user_agent'
+            use(::Rack::Dedos::Filters::UserAgent, options)
+          end
+          unless except.include? :country
+            require_relative 'dedos/filters/country'
+            use(::Rack::Dedos::Filters::Country, options)
+          end
           run app
         end.to_app
       end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-dedos
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Sven Schwyn
@@ -11,8 +11,8 @@ cert_chain:
 - |
   -----BEGIN CERTIFICATE-----
   MIIDODCCAiCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhydWJ5
-  L0RDPWJpdGNldGVyYS9EQz1jb20wHhcNMjIxMTA2MTIzNjUwWhcNMjMxMTA2MTIz
-  NjUwWjAjMSEwHwYDVQQDDBhydWJ5L0RDPWJpdGNldGVyYS9EQz1jb20wggEiMA0G
+  L0RDPWJpdGNldGVyYS9EQz1jb20wHhcNMjQxMTIwMjExMDIwWhcNMjUxMTIwMjEx
+  MDIwWjAjMSEwHwYDVQQDDBhydWJ5L0RDPWJpdGNldGVyYS9EQz1jb20wggEiMA0G
   CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcLg+IHjXYaUlTSU7R235lQKD8ZhEe
   KMhoGlSUonZ/zo1OT3KXcqTCP1iMX743xYs6upEGALCWWwq+nxvlDdnWRjF3AAv7
   ikC+Z2BEowjyeCCT/0gvn4ohKcR0JOzzRaIlFUVInlGSAHx2QHZ2N8ntf54lu7nd
@@ -21,15 +21,15 @@ cert_chain:
   PVa0i729A4IhroNnFNmw4wOC93ARNbM1+LW36PLMmKjKudf5Exg8VmDVAgMBAAGj
   dzB1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBSfK8MtR62mQ6oN
   yoX/VKJzFjLSVDAdBgNVHREEFjAUgRJydWJ5QGJpdGNldGVyYS5jb20wHQYDVR0S
-  BBYwFIEScnVieUBiaXRjZXRlcmEuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAYG2na
-  ye8OE2DANQIFM/xDos/E4DaPWCJjX5xvFKNKHMCeQYPeZvLICCwyw2paE7Otwk6p
-  uvbg2Ks5ykXsbk5i6vxDoeeOLvmxCqI6m+tHb8v7VZtmwRJm8so0eSX0WvTaKnIf
-  CAn1bVUggczVdNoBXw9WAILKyw9bvh3Ft740XZrR74sd+m2pGwjCaM8hzLvrVbGP
-  DyYhlBeRWyQKQ0WDIsiTSRhzK8HwSTUWjvPwx7SEdIU/HZgyrk0ETObKPakVu6bH
-  kAyiRqgxF4dJviwtqI7mZIomWL63+kXLgjOjMe1SHxfIPo/0ji6+r1p4KYa7o41v
-  fwIwU1MKlFBdsjkd
+  BBYwFIEScnVieUBiaXRjZXRlcmEuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQDSeB1x
+  8QK8F/ML37isgvwGiQxovDUqu6Sq14cQ1qE9y5prUBmL2AsDuCBpXXctcvamFqNC
+  PgfJtj7ZZcXmY0SfKCog7T1btkr6zYxPXpxwUqB45n0I6v5qc0UCNvMEfBzxlak5
+  VW7UMNlKD9qukeN55hxuLF2F/sLldMcHUo/ATgdV4zk1t3sK6A9+02wz5K5qfWdM
+  Mi+XWXmGd57uojk3RcIXNwBRRP4DTKcKgVXhuyHb7q1vjTXrS6bw1Ortu0KmWOIk
+  jTyRsT1gymASS2KHe+BaCTwD74GqO8q4woYLZgXnJ/PvgcFgY2FEi2Kn/sXLp4JE
+  boIgxQCMT+nxBHCD
   -----END CERTIFICATE-----
-date: 2023-02-03 00:00:00.000000000 Z
+date: 2024-11-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -116,7 +116,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: minitest-sound
+  name: minitest-flash
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -207,10 +207,10 @@ files:
 - LICENSE.txt
 - README.md
 - lib/rack/dedos.rb
-- lib/rack/dedos/base.rb
 - lib/rack/dedos/cache.rb
-- lib/rack/dedos/country.rb
-- lib/rack/dedos/user_agent.rb
+- lib/rack/dedos/filters/base.rb
+- lib/rack/dedos/filters/country.rb
+- lib/rack/dedos/filters/user_agent.rb
 - lib/rack/dedos/version.rb
 homepage: https://github.com/svoop/rack-dedos
 licenses:
@@ -243,7 +243,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.6
+rubygems_version: 3.5.23
 signing_key:
 specification_version: 4
 summary: Radical filters to block denial-of-service (DoS) requests.

data/lib/rack/dedos/base.rb

@@ -1,40 +0,0 @@
-# frozen_string_literal: true
-
-module Rack
-  module Dedos
-    class Base
-
-      DEFAULT_OPTIONS = {
-        status: 403,
-        text: 'Forbidden (Temporarily Blocked by Rules)'
-      }
-
-      attr_reader :app
-      attr_reader :options
-
-      # @param app [#call]
-      # @param options [Hash{Symbol => Object}]
-      def initialize(app, options = {})
-        @app = app
-        @options = DEFAULT_OPTIONS.merge(options)
-      end
-
-      def call(env)
-        request = Rack::Request.new(env)
-        if allowed?(request)
-          app.call(env)
-        else
-          warn("rack-dedos: request from #{request.ip} blocked by #{self.class}")
-          [options[:status], { 'Content-Type' => 'text/plain' }, [options[:text]]]
-        end
-      end
-
-      private
-
-      def config
-        Rack::Dedos.config
-      end
-
-    end
-  end
-end

data/lib/rack/dedos/country.rb

@@ -1,46 +0,0 @@
-# frozen_string_literal: true
-
-require 'maxmind/db'
-
-module Rack
-  module Dedos
-    class Country < Base
-
-      # @option options [String] :maxmind_db_file MaxMind database file
-      # @option options [Symbol, Array<Symbol>] :allowed_countries ISO 3166-1 alpha 2
-      # @option options [Symbol, Array<Symbol>] :denied_countries ISO 3166-1 alpha 2
-      def initialize(*)
-        super
-        @maxmind_db_file = options[:maxmind_db_file] or fail "MaxMind database file not set"
-        @allowed = case
-          when @countries = options[:allowed_countries] then true
-          when @countries = options[:denied_countries] then false
-          else fail "neither allowed nor denied countries set"
-        end
-        maxmind_db   # hit once to fail on errors at boot
-      end
-
-      def allowed?(request)
-        if country = maxmind_db.get(request.ip)
-          country_code = country.dig('country', 'iso_code').to_sym
-          @countries.include?(country_code) ? @allowed : !@allowed
-        else   # not found in database
-          true
-        end
-      rescue => error
-        warn("rack-dedos: request from #{request.ip} allowed due to error: #{error.message}")
-        true
-      end
-
-      private
-
-      def maxmind_db
-        config[:maxmind_db] ||= MaxMind::DB.new(
-          @maxmind_db_file,
-          mode: MaxMind::DB::MODE_FILE
-        )
-      end
-
-    end
-  end
-end

data/lib/rack/dedos/user_agent.rb

@@ -1,48 +0,0 @@
-# frozen_string_literal: true
-
-module Rack
-  module Dedos
-    class UserAgent < Base
-
-      # @option options [String] :cache_url URL of the cache backend
-      # @option options [Integer] :cache_period how long to retain cached IP
-      #   addresses in seconds (default: 900)
-      def initialize(*)
-        super
-        @cache_url = options[:cache_url] or fail "cache URL not set"
-        @cache_period = options[:cache_period] || 900
-        @cache_key_prefix = options[:cache_key_prefix]
-        cache   # hit once to fail on errors at boot
-      end
-
-      def allowed?(request)
-        case cache.get(request.ip)
-        when nil              # first contact
-          cache.set(request.ip, request.user_agent)
-          true
-        when 'BLOCKED'        # already blocked
-          false
-        when request.user_agent   # user agent hasn't changed
-          true
-        else                  # user agent has changed
-          cache.set(request.ip, 'BLOCKED')
-          false
-        end
-      rescue => error
-        warn("rack-dedos: request from #{request.ip} allowed due to error: #{error.message}")
-        true
-      end
-
-      private
-
-      def cache
-        config[:cache] ||= Cache.new(
-          url: @cache_url,
-          expires_in: @cache_period,
-          key_prefix: @cache_key_prefix
-        )
-      end
-
-    end
-  end
-end