rack-dedos 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69f8976f9ee4fc15e9c0b3915020919fa72014acb8577933a5bdcd02b674570c
-  data.tar.gz: 31bbb973f18eee8e22ed576a12846f6443d1ab2106fa3b8a1cdf6b52cc374464
+  metadata.gz: 35a9da808f1fbf56cdf83862a982771065b0630bbec3b4bc4b45ee787f4b57cd
+  data.tar.gz: 858380d7644f92d28f15ead5c41cb796118fbf0977bad9e19375a3b45befcbec
 SHA512:
-  metadata.gz: f506c9e93a4eb859a79c74c2053e493455aa13ebe8487fc42650a59bdb3e65da862b02cfab1cbfc54cb2186e340e014547bf6df4caf4f0afe2eae7233f3c9c1a
-  data.tar.gz: 9a18dfe754ea786cbef049ec91a11108fb36c272ce954190331612089412957f3056f0635f6bf520a60ff0ab3373678067f6fcc5a7cf4e05799b170a6139a26f
+  metadata.gz: 84ce070ddd54d01491e0c6437cc25514a6ff495fc6dfb4fcae2d42729c0619183c78cb20b53bee033d3abe62749c865be903c941976559b14f17d82752979f44
+  data.tar.gz: 220d0ac5538ca7dde09826f03b231d7e6bb7830d59dad0efa29a54fae6124acec991d8b0a68a5c384f43af81cf3cdc279918bd3ab6bca2308ba55029a7487944

data/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 Nothing so far
 
+## 0.2.0
+
+#### Changes
+
+* Determine real client IP
+* Drop autoload and put filters in proper namespace
+
 ## 0.1.0
 
 #### Initial implementation

data/README.md

@@ -83,11 +83,11 @@ use Rack::Dedos,
 
 ## Filters
 
-By default, all filters described below are applied. You can exclude exclude certain filters:
+By default, all filters described below are applied. You can exclude certain filters:
 
 ```ruby
 use Rack::Dedos,
-  exclude: [:user_agent]
+  except: [:user_agent]
 ```
 
 To only apply one specific filter, use the corresponding class as shown below.
@@ -95,7 +95,7 @@ To only apply one specific filter, use the corresponding class as shown below.
 ### User Agent Filter
 
 ```ruby
-use Rack::Dedos::UserAgent,
+use Rack::Dedos::Filters::UserAgent,
   cache_url: 'redis://redis.example.com:6379/12',   # db 12 on default port
   cache_key_prefix: 'dedos',   # key prefix for shared caches (default: nil)
   cache_period: 1800   # seconds (default: 900)
@@ -111,7 +111,7 @@ The following cache backends are supported:
 ### Country Filter
 
 ```ruby
-use Rack::Dedos::Country,
+use Rack::Dedos::Filters::Country,
   maxmind_db_file: '/var/db/maxmind/GeoLite2-Country.mmdb',
   allowed_countries: %i(AT CH DE),
   denied_countries: %i(RU)
@@ -137,6 +137,21 @@ tar -xz -C /tmp -f /tmp/geoipupdate.tgz
 /tmp/geoipupdate_${version}_${arch}/geoipupdate -f "${conf}" -d "${dir}"
 ```
 
+## Real Client IP
+
+A word on how the real client IP is determined. Both Rack 2 and Rack 3 (up to 3.0.7 at the time of writing) may populate the request `ip` incorrectly. Here's what a minimalistic Rack app deloyed to Render (behind Cloudflare) reports:
+
+> request.ip = 172.71.135.17
+> request.forwarded_for = ["81.XXX.XXX.XXX", "172.71.135.17", "10.201.229.136"]
+
+Obviously, the reported IP 172.71.135.17 is not the real client IP, the correct one is the (redacted) 81.XXX.XXX.XXX.
+
+Due to this flaw, Rack::Dedos determines the real client IP as follows in order of priority:
+
+1. [`Cf-Connecting-Ip` header](https://developers.cloudflare.com/fundamentals/get-started/reference/http-request-headers/#cf-connecting-ip)
+2. First entry of the [`X-Forwarded-For` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
+3. [`ip` reported by Rack](https://github.com/rack/rack/blob/main/lib/rack/request.rb)
+
 ## Development
 
 For all required test fixtures to be present, you have to check out the repo

data/lib/rack/dedos/filters/base.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module Rack
+  module Dedos
+    module Filters
+      class Base
+
+        DEFAULT_OPTIONS = {
+          status: 403,
+          text: 'Forbidden (Temporarily Blocked by Rules)'
+        }
+
+        attr_reader :app
+        attr_reader :options
+
+        # @param app [#call]
+        # @param options [Hash{Symbol => Object}]
+        def initialize(app, options = {})
+          @app = app
+          @options = DEFAULT_OPTIONS.merge(options)
+        end
+
+        def call(env)
+          request = Rack::Request.new(env)
+          ip = real_ip(request)
+          if allowed?(request, ip)
+            app.call(env)
+          else
+            warn("rack-dedos: request from #{ip} blocked by #{self.class} `#{@country_code.inspect}'")
+            [options[:status], { 'Content-Type' => 'text/plain' }, [options[:text]]]
+          end
+        end
+
+        private
+
+        def config
+          Rack::Dedos.config
+        end
+
+        # Get the real IP of the client
+        #
+        # If a proxy such as Cloudflare is in the mix, the client IP reported
+        # by Rack may be wrong. Therefore, we determine the real client IP
+        # using the following priorities:
+        #
+        # 1. Cf-Connecting-Ip header
+        # 2. X-Forwarded-For header (also remove port number)
+        # 3. IP reported by Rack
+        #
+        # @param request [Rack::Request]
+        # @return [String, nil] real client IP or +nil+ if X-Forwarded-For is
+        #   not set
+        def real_ip(request)
+          case
+          when ip = request.get_header('HTTP_CF_CONNECTING_IP')
+            ip
+          when forwarded_for = request.forwarded_for
+            forwarded_for.split(/\s*,\s*/).first&.sub(/:\d+$/, '')
+          else
+            request.ip
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/rack/dedos/filters/country.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'maxmind/db'
+
+module Rack
+  module Dedos
+    module Filters
+      class Country < Base
+
+        # @option options [String] :maxmind_db_file MaxMind database file
+        # @option options [Symbol, Array<Symbol>] :allowed_countries ISO 3166-1 alpha 2
+        # @option options [Symbol, Array<Symbol>] :denied_countries ISO 3166-1 alpha 2
+        def initialize(*)
+          super
+          @maxmind_db_file = options[:maxmind_db_file] or fail "MaxMind database file not set"
+          @allowed = case
+            when @countries = options[:allowed_countries] then true
+            when @countries = options[:denied_countries] then false
+            else fail "neither allowed nor denied countries set"
+          end
+          maxmind_db   # hit once to fail on errors at boot
+        end
+
+        def allowed?(request, ip)
+          if country = maxmind_db.get(ip)
+            country_code = country.dig('country', 'iso_code').to_sym
+            @countries.include?(country_code) ? @allowed : !@allowed
+          else   # not found in database
+            true
+          end
+        rescue => error
+          warn("rack-dedos: request from #{ip} allowed due to error: #{error.message}")
+          true
+        end
+
+        private
+
+        def maxmind_db
+          config[:maxmind_db] ||= MaxMind::DB.new(
+            @maxmind_db_file,
+            mode: MaxMind::DB::MODE_FILE
+          )
+        end
+
+      end
+    end
+  end
+end

data/lib/rack/dedos/filters/user_agent.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Rack
+  module Dedos
+    module Filters
+      class UserAgent < Base
+
+        # @option options [String] :cache_url URL of the cache backend
+        # @option options [Integer] :cache_period how long to retain cached IP
+        #   addresses in seconds (default: 900)
+        def initialize(*)
+          super
+          @cache_url = options[:cache_url] or fail "cache URL not set"
+          @cache_period = options[:cache_period] || 900
+          @cache_key_prefix = options[:cache_key_prefix]
+          cache   # hit once to fail on errors at boot
+        end
+
+        def allowed?(request, ip)
+          case cache.get(ip)
+          when nil              # first contact
+            cache.set(ip, request.user_agent)
+            true
+          when 'BLOCKED'        # already blocked
+            false
+          when request.user_agent   # user agent hasn't changed
+            true
+          else                  # user agent has changed
+            cache.set(ip, 'BLOCKED')
+            false
+          end
+        rescue => error
+          warn("rack-dedos: request from #{ip} allowed due to error: #{error.message}")
+          true
+        end
+
+        private
+
+        def cache
+          config[:cache] ||= Cache.new(
+            url: @cache_url,
+            expires_in: @cache_period,
+            key_prefix: @cache_key_prefix
+          )
+        end
+
+      end
+    end
+  end
+end

data/lib/rack/dedos/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   module Dedos
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

data/lib/rack/dedos.rb

@@ -6,11 +6,9 @@ require_relative 'dedos/version'
 
 module Rack
   module Dedos
-    lib_dir = ::File.expand_path(::File.dirname(__FILE__))
-    autoload :Cache, lib_dir + '/dedos/cache'
-    autoload :Base, lib_dir + '/dedos/base'
-    autoload :UserAgent, lib_dir + '/dedos/user_agent'
-    autoload :Country, lib_dir + '/dedos/country'
+
+    require_relative 'dedos/cache'
+    require_relative 'dedos/filters/base'
 
     class << self
       def config
@@ -21,8 +19,14 @@ module Rack
         except = Array options[:except]
 
         Rack::Builder.new do
-          use(::Rack::Dedos::UserAgent, options) unless except.include? :user_agent
-          use(::Rack::Dedos::Country, options) unless except.include? :country
+          unless except.include? :user_agent
+            require_relative 'dedos/filter/user_agent'
+            use(::Rack::Dedos::Filters::UserAgent, options)
+          end
+          unless except.include? :country
+            require_relative 'dedos/filter/country'
+            use(::Rack::Dedos::Filters::Country, options)
+          end
           run app
         end.to_app
       end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-dedos
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Sven Schwyn
@@ -29,7 +29,7 @@ cert_chain:
   kAyiRqgxF4dJviwtqI7mZIomWL63+kXLgjOjMe1SHxfIPo/0ji6+r1p4KYa7o41v
   fwIwU1MKlFBdsjkd
   -----END CERTIFICATE-----
-date: 2023-02-03 00:00:00.000000000 Z
+date: 2023-05-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -207,10 +207,10 @@ files:
 - LICENSE.txt
 - README.md
 - lib/rack/dedos.rb
-- lib/rack/dedos/base.rb
 - lib/rack/dedos/cache.rb
-- lib/rack/dedos/country.rb
-- lib/rack/dedos/user_agent.rb
+- lib/rack/dedos/filters/base.rb
+- lib/rack/dedos/filters/country.rb
+- lib/rack/dedos/filters/user_agent.rb
 - lib/rack/dedos/version.rb
 homepage: https://github.com/svoop/rack-dedos
 licenses:
@@ -243,7 +243,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.6
+rubygems_version: 3.4.13
 signing_key:
 specification_version: 4
 summary: Radical filters to block denial-of-service (DoS) requests.

data/lib/rack/dedos/base.rb

@@ -1,40 +0,0 @@
-# frozen_string_literal: true
-
-module Rack
-  module Dedos
-    class Base
-
-      DEFAULT_OPTIONS = {
-        status: 403,
-        text: 'Forbidden (Temporarily Blocked by Rules)'
-      }
-
-      attr_reader :app
-      attr_reader :options
-
-      # @param app [#call]
-      # @param options [Hash{Symbol => Object}]
-      def initialize(app, options = {})
-        @app = app
-        @options = DEFAULT_OPTIONS.merge(options)
-      end
-
-      def call(env)
-        request = Rack::Request.new(env)
-        if allowed?(request)
-          app.call(env)
-        else
-          warn("rack-dedos: request from #{request.ip} blocked by #{self.class}")
-          [options[:status], { 'Content-Type' => 'text/plain' }, [options[:text]]]
-        end
-      end
-
-      private
-
-      def config
-        Rack::Dedos.config
-      end
-
-    end
-  end
-end

data/lib/rack/dedos/country.rb

@@ -1,46 +0,0 @@
-# frozen_string_literal: true
-
-require 'maxmind/db'
-
-module Rack
-  module Dedos
-    class Country < Base
-
-      # @option options [String] :maxmind_db_file MaxMind database file
-      # @option options [Symbol, Array<Symbol>] :allowed_countries ISO 3166-1 alpha 2
-      # @option options [Symbol, Array<Symbol>] :denied_countries ISO 3166-1 alpha 2
-      def initialize(*)
-        super
-        @maxmind_db_file = options[:maxmind_db_file] or fail "MaxMind database file not set"
-        @allowed = case
-          when @countries = options[:allowed_countries] then true
-          when @countries = options[:denied_countries] then false
-          else fail "neither allowed nor denied countries set"
-        end
-        maxmind_db   # hit once to fail on errors at boot
-      end
-
-      def allowed?(request)
-        if country = maxmind_db.get(request.ip)
-          country_code = country.dig('country', 'iso_code').to_sym
-          @countries.include?(country_code) ? @allowed : !@allowed
-        else   # not found in database
-          true
-        end
-      rescue => error
-        warn("rack-dedos: request from #{request.ip} allowed due to error: #{error.message}")
-        true
-      end
-
-      private
-
-      def maxmind_db
-        config[:maxmind_db] ||= MaxMind::DB.new(
-          @maxmind_db_file,
-          mode: MaxMind::DB::MODE_FILE
-        )
-      end
-
-    end
-  end
-end

data/lib/rack/dedos/user_agent.rb

@@ -1,48 +0,0 @@
-# frozen_string_literal: true
-
-module Rack
-  module Dedos
-    class UserAgent < Base
-
-      # @option options [String] :cache_url URL of the cache backend
-      # @option options [Integer] :cache_period how long to retain cached IP
-      #   addresses in seconds (default: 900)
-      def initialize(*)
-        super
-        @cache_url = options[:cache_url] or fail "cache URL not set"
-        @cache_period = options[:cache_period] || 900
-        @cache_key_prefix = options[:cache_key_prefix]
-        cache   # hit once to fail on errors at boot
-      end
-
-      def allowed?(request)
-        case cache.get(request.ip)
-        when nil              # first contact
-          cache.set(request.ip, request.user_agent)
-          true
-        when 'BLOCKED'        # already blocked
-          false
-        when request.user_agent   # user agent hasn't changed
-          true
-        else                  # user agent has changed
-          cache.set(request.ip, 'BLOCKED')
-          false
-        end
-      rescue => error
-        warn("rack-dedos: request from #{request.ip} allowed due to error: #{error.message}")
-        true
-      end
-
-      private
-
-      def cache
-        config[:cache] ||= Cache.new(
-          url: @cache_url,
-          expires_in: @cache_period,
-          key_prefix: @cache_key_prefix
-        )
-      end
-
-    end
-  end
-end