rack-dedos 0.7.1 → 0.7.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c9198afaa909fd5893e05e59d4e107303aedb6d9cba9a99fc26025d4785fb0f1
-  data.tar.gz: 573d19c93954eb75ad4f4db7b9ea92003162c1648e9b576a8e4279aa2efb6dbc
+  metadata.gz: 947e6356b19bea810a33478eb1b71a6c15226361875e3049c838736efa80c7d7
+  data.tar.gz: 2dc040a8efdb5ebbe2efec61dc95cbafa84e2df65af1c04fdccaaf1800256466
 SHA512:
-  metadata.gz: 95d555d680506742c46c9de899c2ec17a9e4cb4d5423326777cf3b0b4b8131e85798b2f9bccbb3c9e4c7f6be44e0e2a86442ace63aab11e02cf2f21cc76a3924
-  data.tar.gz: 2e633200a5563c497354bba636abc42a829f4d24297fd9d8174f767c2ca789edd1e7758e83ca1eaea4788c0acb084eb9378fe9ce85c3a82f4d34d880d3f3e9b3
+  metadata.gz: 3262a3fae6cf1f78acabdc33677f2f9d9309f1b474204cab8f2de8e0052c77ef360ecfe0cc98bee381416550f51881647f970b93b172c7565446a843ed655860
+  data.tar.gz: 8de32babd643f4678e176ddafea65050361d3ceb1bfb2c878a7b902ed9a8f23758e0aad81c9f422f03934a00987b3b3aea772718bddd575205f3d1852612fe52

data/CHANGELOG.md

@@ -2,6 +2,11 @@
 
 Nothing so far
 
+## 0.7.2
+
+### Additions
+* Spamhaus filter
+
 ## 0.7.1
 
 ### Improvements

data/README.md

@@ -122,6 +122,18 @@ use Rack::Dedos,
   text: "Temporary Server Error"
 ```
 
+### Cache
+
+Some filters have to persist information to a key/value store. The default implementation uses a simple Ruby `Hash`, however, this is only suitable for development. If you chose to use such filters in production, you'll want to switch to Redis instead.
+
+To do so, install the [redis gem](https://rubygems.org/gems/redis) and add the following configuration:
+
+```ruby
+use Rack::Dedos,
+  cache_url: 'redis://redis.example.com:6379/12',   # db 12 on default port
+  cache_key_prefix: 'dedos',   # key prefix for shared caches (default: nil)
+```
+
 ### Log
 
 By default, blocked request are logged as info to `$stdout` such as:
@@ -162,22 +174,19 @@ To only apply one specific filter, use the corresponding class as shown below.
 
 ### User Agent Filter
 
+⚠️ This filter uses the cache!
+
 ```ruby
 use Rack::Dedos::Filters::UserAgent,
-  cache_url: 'redis://redis.example.com:6379/12',   # db 12 on default port
-  cache_key_prefix: 'dedos',   # key prefix for shared caches (default: nil)
   cache_period: 1800   # seconds (default: 900)
 ```
 
 Requests are blocked for `cache_period` seconds in case another request has been made within `cache_period` seconds from by same IP address but with a different user agent.
 
-The following cache backends are supported:
-
-* `redis://...` – ⚠️ The [redis gem](https://rubygems.org/gems/redis) has to be installed.
-* `hash` – Only for testing, don't use this in production.
-
 ### Country Filter
 
+⚠️ This filter requires the [maxmind-db gem](https://rubygems.org/gems/maxmind-db) to be installed!
+
 ```ruby
 use Rack::Dedos::Filters::Country,
   maxmind_db_file: '/var/db/maxmind/GeoLite2-Country.mmdb',
@@ -187,8 +196,6 @@ use Rack::Dedos::Filters::Country,
 
 Either allow or deny requests by probable country of origin. If both are set, the `denied_countries` option is ignored.
 
-⚠️ The [maxmind-db gem](https://rubygems.org/gems/maxmind-db) has to be installed.
-
 The MaxMind GeoLite2 database is free, however, you have to create an account on [maxmind.com](https://www.maxmind.com) and then download the country database.
 
 For automatic updates, create a `geoipupdate.conf` file and then use the [geoipupdate tool for your arch](https://github.com/maxmind/geoipupdate/releases) to fetch the latest country database.
@@ -200,9 +207,19 @@ geoipget --help
 geoipget --dir . --arch linux_amd64 /etc/geoipupdate.conf
 ```
 
+### Spamhaus Filter
+
+⚠️ This filter uses the cache!
+
+```ruby
+use Rack::Dedos::Filters::Spamhaus
+```
+
+Deny requests from IP addresses which are listed on the [Spamhaus ZEN Blocklist](https://www.spamhaus.org/blocklists/zen-blocklist/).
+
 ## Real Client IP
 
-A word on how the real client IP is determined. Both Rack 2 and Rack 3 (up to 3.0.7 at the time of writing) may populate the request `ip` incorrectly. Here's what a minimalistic Rack app deloyed to Render (behind Cloudflare) reports:
+A word on how the real client IP is determined: Both Rack 2 and Rack 3 (up to 3.0.7 at the time of writing) may populate the request `ip` incorrectly. Here's what a minimalistic Rack app deloyed to Render (behind Cloudflare) reports:
 
 > request.ip = 172.71.135.17<br>
 > request.forwarded_for = ["81.XXX.XXX.XXX", "172.71.135.17", "10.201.229.136"]

data/lib/rack/dedos/cache.rb

@@ -4,30 +4,27 @@ module Rack
   module Dedos
     class Cache
 
-      def initialize(url:, expires_in: nil, key_prefix: nil)
-        @url, @expires_in = url, expires_in
-        @key_prefix = ("#{key_prefix}:" if key_prefix).to_s
+      def initialize(url:, key_prefix: nil, expires_in: 86400)
+        @url, @key_prefix, @expires_in = url, key_prefix, expires_in
         type = url.split(':').first
         extend Object.const_get("Rack::Dedos::Cache::#{type.capitalize}")
+        connect
       rescue NameError
         raise(ArgumentError, "type of cache for `#{@url}' not supported")
       end
 
       module Hash
-        def store
-          @store ||= {}
-        end
-
-        def set(key, value)
-          store[key] = [value, timestamp]
+        def set(key, value, expires_in: @expires_in)
+          expires_at = now + expires_in if expires_in
+          @store[key] = [value, expires_at]
         end
 
         def get(key)
-          if (value, created_at = store[key])
-            if !@expires_in || @expires_in >= timestamp - created_at
+          if (value, expires_at = @store[key])
+            if !expires_at || expires_at > now
               value
             else
-              store.delete(key)
+              @store.delete(key)
               nil
             end
           end
@@ -35,7 +32,11 @@ module Rack
 
         private
 
-        def timestamp
+        def connect
+          @store = {}
+        end
+
+        def now
           Time.now.to_i
         end
       end
@@ -43,16 +44,24 @@ module Rack
       module Redis
         require 'redis'
 
-        def store
-          @store ||= ::Redis.new(url: @url)
+        def set(key, value, expires_in: @expires_in)
+          @store.with { _1.set(prefixed(key), value, ex: expires_in) }
         end
 
-        def set(key, value)
-          store.set(@key_prefix + key, value, ex: @expires_in)
+        def get(key)
+          @store.with { _1.get(prefixed(key)) }
         end
 
-        def get(key)
-          store.get(@key_prefix + key)
+        private
+
+        def connect
+          @store = ConnectionPool.new(size: 5, timeout: 1) do
+            ::Redis.new(url: @url)
+          end
+        end
+
+        def prefixed(key)
+          @key_prefix ? "#{@key_prefix}:#{key}" : key
         end
       end
 

data/lib/rack/dedos/filters/base.rb

@@ -9,6 +9,8 @@ module Rack
 
         DEFAULT_OPTIONS = {
           logger: nil,
+          cache_url: 'Hash',
+          cache_key_prefix: nil,
           only_paths: [],
           except_paths: [],
           status: 403,
@@ -16,13 +18,18 @@ module Rack
           headers: []
         }.freeze
 
-        attr_reader :app, :options, :details
+        attr_reader :app, :options, :cache, :logger, :details
 
         # @param app [#call]
         # @param options [Hash{Symbol => Object}]
         def initialize(app, options={})
           @app = app
           @options = DEFAULT_OPTIONS.merge(options)
+          @cache = Cache.new(
+            url: @options[:cache_url],
+            key_prefix: @options[:cache_key_prefix]
+          )
+          @logger ||= options[:logger] || ::Logger.new($stdout, progname: 'rack-dedos')
           @details = {}
         end
 
@@ -46,10 +53,6 @@ module Rack
           Rack::Dedos.config
         end
 
-        def logger
-          @logger ||= options[:logger] || ::Logger.new($stdout, progname: 'rack-dedos')
-        end
-
         def apply?(request)
           return false if @options[:except_paths].any? { request.path.match? _1 }
           return true if @options[:only_paths].none?

data/lib/rack/dedos/filters/spamhaus.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'resolv'
+
+module Rack
+  module Dedos
+    module Filters
+      class Spamhaus < Base
+
+        QUERY_DOMAIN = 'zen.spamhaus.org'.freeze
+
+        def name
+          :spamhaus
+        end
+
+        def initialize(...)
+          super
+          @resolver = ConnectionPool.new(size: 5, timeout: 1) do
+            Resolv::DNS.new.tap { _1.timeouts = [1, 2] }
+          end
+        end
+
+        def allowed?(request, ip)
+          @resolver.with do |resolver|
+            resolver.getresources(domain_for(ip), Resolv::DNS::Resource::IN::A).empty?
+          end
+        rescue => error
+          logger.error("request from #{ip} allowed due to error: #{error.message}")
+          true
+        end
+
+        private
+
+        def domain_for(ip)
+          ip.split('.').reverse.join('.').concat('.', QUERY_DOMAIN)
+        end
+
+      end
+    end
+  end
+end

data/lib/rack/dedos/filters/user_agent.rb

@@ -9,28 +9,24 @@ module Rack
           :user_agent
         end
 
-        # @option options [String] :cache_url URL of the cache backend
         # @option options [Integer] :cache_period how long to retain cached IP
         #   addresses in seconds (default: 900)
         def initialize(...)
           super
-          @cache_url = options[:cache_url] or fail "cache URL not set"
           @cache_period = options[:cache_period] || 900
-          @cache_key_prefix = options[:cache_key_prefix]
-          cache   # hit once to fail on errors at boot
         end
 
         def allowed?(request, ip)
           case cache.get(ip)
           when nil              # first contact
-            cache.set(ip, request.user_agent)
+            cache.set(ip, request.user_agent, expires_in: @cache_period)
             true
           when 'BLOCKED'        # already blocked
             false
           when request.user_agent   # user agent hasn't changed
             true
-          else                  # user agent has changed
-            cache.set(ip, 'BLOCKED')
+          else   # user agent has changed
+            cache.set(ip, 'BLOCKED', expires_in: @cache_period)
             false
           end
         rescue => error
@@ -38,16 +34,6 @@ module Rack
           true
         end
 
-        private
-
-        def cache
-          config[:cache] ||= Cache.new(
-            url: @cache_url,
-            expires_in: @cache_period,
-            key_prefix: @cache_key_prefix
-          )
-        end
-
       end
     end
   end

data/lib/rack/dedos/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   module Dedos
-    VERSION = "0.7.1"
+    VERSION = "0.7.2"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-dedos
 version: !ruby/object:Gem::Version
-  version: 0.7.1
+  version: 0.7.2
 platform: ruby
 authors:
 - Sven Schwyn
@@ -37,6 +37,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: connection_pool
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -135,6 +149,7 @@ files:
 - lib/rack/dedos/executables/geoipget.rb
 - lib/rack/dedos/filters/base.rb
 - lib/rack/dedos/filters/country.rb
+- lib/rack/dedos/filters/spamhaus.rb
 - lib/rack/dedos/filters/user_agent.rb
 - lib/rack/dedos/version.rb
 homepage: https://github.com/svoop/rack-dedos
@@ -168,7 +183,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.6
+rubygems_version: 4.0.10
 specification_version: 4
 summary: Radical filters to block denial-of-service (DoS) requests.
 test_files: []