rack-proxy 0.7.8 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f1a4b368973c939e40b8f152e168081d55105a2a447541d2ea8a2b9157aaf65
-  data.tar.gz: f24595aef9a2aeaa8354f0377d1f28508f248039a59a880f1da674891e6236af
+  metadata.gz: f9520dd879490c3e4e00d0617a74994fd178488878cf149f44acc4795975609e
+  data.tar.gz: 99c9ea6a98cbae6713c03f4ac4a6b87cf682a9189c073f29ecd5845d3ddc5c7e
 SHA512:
-  metadata.gz: 5fa9ddee2ccb22bdeb051dc11bf09aa158a93ebf3d95156ae43bea1fb933527e9bb31cf60910d063017c229e599aaa20d7452c792bc2b7f0303da8f20c579bbc
-  data.tar.gz: 8d95e69cfb5e09c3e4103653bd739e96b37430f7e92720c668a8f396458f07fbeec9e01b25a6b4cff8128ad958f64d3adc01f748a3836f2ea768f8cc60d74244
+  metadata.gz: f5b53e01fef046f99405006fcb5b60f053ede10fc23bb231ad27deebbe52593d1ad1fcd1ba77471dcb76405c65a9d7a3a685ed13caea6bdb1dbf927ad19ffffc
+  data.tar.gz: 940b3f2ba7a1248475799497e757a9a9be8875e933ef47b0fdc583181d0368804c56d0bd5b356860c169e4bdd9e68f2cfd6b7c6f273b9d542fd5bdd93b6e7f46

data/Gemfile.lock

@@ -1,19 +1,20 @@
 PATH
   remote: .
   specs:
-    rack-proxy (0.7.8)
+    rack-proxy (0.8.0)
       rack
 
 GEM
   remote: https://rubygems.org/
   specs:
     power_assert (2.0.3)
-    rack (3.0.9.1)
+    rack (3.2.6)
     rack-test (2.1.0)
       rack (>= 1.3)
     rake (13.0.6)
     test-unit (3.6.1)
       power_assert
+    webrick (1.9.2)
 
 PLATFORMS
   arm64-darwin-22
@@ -24,6 +25,7 @@ DEPENDENCIES
   rack-test
   rake
   test-unit
+  webrick
 
 BUNDLED WITH
    2.4.17

data/README.md

@@ -6,7 +6,7 @@ Installation
 Add the following to your `Gemfile`:
 
 ```
-gem 'rack-proxy', '~> 0.7.7'
+gem 'rack-proxy', '~> 0.8.0'
 ```
 
 Or install:
@@ -38,7 +38,8 @@ Options can be set when initializing the middleware or overriding a method.
 
 
 * `:streaming` - defaults to `true`, but does not work on all Ruby versions, recommend to set to `false`
-* `:ssl_verify_none` - tell `Net::HTTP` to not validate certs
+* `:ssl_verify_none` - tell `Net::HTTP` to skip TLS certificate verification (defaults to verifying — see [Upgrading](#upgrading) for the 0.8 change)
+* `:verify_mode` - explicit `OpenSSL::SSL::VERIFY_*` constant; wins over `ssl_verify_none`
 * `:ssl_version` - tell `Net::HTTP` to set a specific `ssl_version`
 * `:backend` - the URI parseable format of host and port of the target proxy backend. If not set it will assume the backend target is the same as the source.
 * `:read_timeout` - set proxy timeout it defaults to 60 seconds
@@ -98,9 +99,6 @@ class TrustingProxy < Rack::Proxy
 
   def rewrite_env(env)
     env["HTTP_HOST"] = "self-signed.badssl.com"
-
-    # We are going to trust the self-signed SSL
-    env["rack.ssl_verify_none"] = true
     env
   end
 
@@ -116,11 +114,8 @@ class TrustingProxy < Rack::Proxy
   end
 
 end
-```
-
-The same can be achieved for *all* requests going through the `Rack::Proxy` instance by using
 
-```ruby
+# Pass ssl_verify_none: true to skip TLS certificate verification.
 Rack::Proxy.new(ssl_verify_none: true)
 ```
 
@@ -327,6 +322,29 @@ class TLSProxy < Rack::Proxy
 end
 ```
 
+Upgrading
+----
+
+### 0.7.x → 0.8.0
+
+**TLS certificate verification is now on by default.** Prior versions silently used `OpenSSL::SSL::VERIFY_NONE` whenever the backend was HTTPS, which disabled certificate checks. 0.8.0 defaults to `VERIFY_PEER` to match Ruby's `Net::HTTP`.
+
+If you proxy to a backend with a self-signed or otherwise untrusted certificate, you'll now get an `OpenSSL::SSL::SSLError` unless you opt out explicitly:
+
+```ruby
+Rack::Proxy.new(ssl_verify_none: true)              # or
+Rack::Proxy.new(verify_mode: OpenSSL::SSL::VERIFY_NONE)
+```
+
+For internal services with a private CA, prefer setting `cert`/`verify_mode` over disabling verification altogether.
+
+A note on header keys (#96)
+----
+
+Per the standard Rack/CGI convention, header names received by your proxy are exposed in the env with underscores (`HTTP_X_CUSTOM_HEADER`), and rack-proxy rewrites them with dashes (`X-Custom-Header`) when forwarding. This conversion is lossy: by the time a request reaches rack-proxy, the upstream web server (nginx, Apache, Caddy, Puma) has already collapsed both `X-Custom-Header` and `X_Custom_Header` into the same env key, and rack-proxy cannot recover the original spelling.
+
+If you need underscore-style headers preserved end-to-end, configure your fronting web server (e.g. `underscores_in_headers on;` in nginx, or `HTTPProtocolOptions` in Apache) — rack-proxy is not the right layer to fix this.
+
 WARNING
 ----
 

data/lib/rack/proxy.rb

@@ -5,7 +5,7 @@ module Rack
 
   # Subclass and bring your own #rewrite_request and #rewrite_response
   class Proxy
-    VERSION = "0.7.8".freeze
+    VERSION = "0.8.0".freeze
 
     HOP_BY_HOP_HEADERS = {
       'connection' => true,
@@ -69,13 +69,16 @@ module Rack
       end
 
       @streaming = opts.fetch(:streaming, true)
-      @ssl_verify_none = opts.fetch(:ssl_verify_none, false)
       @backend = opts[:backend] ? URI(opts[:backend]) : nil
       @read_timeout = opts.fetch(:read_timeout, 60)
       @ssl_version = opts[:ssl_version]
       @cert = opts[:cert]
       @key = opts[:key]
+      # SSL verification: defaults to VERIFY_PEER (Ruby's Net::HTTP default).
+      # Pass ssl_verify_none: true to explicitly disable cert verification, or
+      # pass verify_mode: <OpenSSL::SSL::VERIFY_*> for full control.
       @verify_mode = opts[:verify_mode]
+      @verify_mode ||= OpenSSL::SSL::VERIFY_NONE if opts[:ssl_verify_none]
 
       @username = opts[:username]
       @password = opts[:password]
@@ -130,33 +133,40 @@ module Rack
       read_timeout = env.delete('http.read_timeout') || @read_timeout
 
       # Create the response
-      if @streaming
-        # streaming response (the actual network communication is deferred, a.k.a. streamed)
-        target_response = HttpStreamingResponse.new(target_request, backend.host, backend.port)
-        target_response.use_ssl = use_ssl
-        target_response.read_timeout = read_timeout
-        target_response.ssl_version = @ssl_version if @ssl_version
-        target_response.verify_mode = (@verify_mode || OpenSSL::SSL::VERIFY_NONE) if use_ssl
-        target_response.cert = @cert if @cert
-        target_response.key = @key if @key
-      else
-        http = Net::HTTP.new(backend.host, backend.port)
-        http.use_ssl = use_ssl if use_ssl
-        http.read_timeout = read_timeout
-        http.ssl_version = @ssl_version if @ssl_version
-        http.verify_mode = (@verify_mode || OpenSSL::SSL::VERIFY_NONE if use_ssl) if use_ssl
-        http.cert = @cert if @cert
-        http.key = @key if @key
-
-        target_response = http.start do
-          http.request(target_request)
+      begin
+        if @streaming
+          # streaming response (the actual network communication is deferred, a.k.a. streamed)
+          target_response = HttpStreamingResponse.new(target_request, backend.host, backend.port)
+          target_response.use_ssl = use_ssl
+          target_response.read_timeout = read_timeout
+          target_response.ssl_version = @ssl_version if @ssl_version
+          target_response.verify_mode = (@verify_mode || OpenSSL::SSL::VERIFY_PEER) if use_ssl
+          target_response.cert = @cert if @cert
+          target_response.key = @key if @key
+        else
+          http = Net::HTTP.new(backend.host, backend.port)
+          http.use_ssl = use_ssl if use_ssl
+          http.read_timeout = read_timeout
+          http.ssl_version = @ssl_version if @ssl_version
+          http.verify_mode = @verify_mode || OpenSSL::SSL::VERIFY_PEER if use_ssl
+          http.cert = @cert if @cert
+          http.key = @key if @key
+
+          target_response = http.start do
+            http.request(target_request)
+          end
         end
+
+        code    = target_response.code
+        headers = self.class.normalize_headers(target_response.respond_to?(:headers) ? target_response.headers : target_response.to_hash)
+        body    = target_response.body || []
+        body    = [body] unless body.respond_to?(:each)
+      rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH, Errno::ENETUNREACH, Errno::ETIMEDOUT, Net::OpenTimeout, SocketError
+        return [502, {}, []]
       end
 
-      code    = target_response.code
-      headers = self.class.normalize_headers(target_response.respond_to?(:headers) ? target_response.headers : target_response.to_hash)
-      body    = target_response.body || [""]
-      body    = [body] unless body.respond_to?(:each)
+      # No entity body for status codes that don't allow one (1xx, 204, 304)
+      body = [] if Rack::Utils::STATUS_WITH_NO_ENTITY_BODY[code.to_i]
 
       # According to https://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section-7.1.3.1Acc
       # should remove hop-by-hop header fields

data/lib/rack_proxy_examples/trusting_proxy.rb

@@ -2,15 +2,12 @@ class TrustingProxy < Rack::Proxy
 
   def rewrite_env(env)
     env["HTTP_HOST"] = "self-signed.badssl.com"
-
-    # We are going to trust the self-signed SSL 
-    env["rack.ssl_verify_none"] = true
     env
   end
 
   def rewrite_response(triplet)
     status, headers, body = triplet
-    
+
     # if you rewrite env, it appears that content-length isn't calculated correctly
     # resulting in only partial responses being sent to users
     # you can remove it or recalculate it here
@@ -21,4 +18,8 @@ class TrustingProxy < Rack::Proxy
 
 end
 
-Rails.application.config.middleware.use TrustingProxy, backend: 'https://self-signed.badssl.com', streaming: false
+# Pass ssl_verify_none: true to skip TLS certificate verification.
+Rails.application.config.middleware.use TrustingProxy,
+  backend: 'https://self-signed.badssl.com',
+  streaming: false,
+  ssl_verify_none: true

data/rack-proxy.gemspec

@@ -22,4 +22,5 @@ Gem::Specification.new do |s|
   s.add_dependency("rack")
   s.add_development_dependency("rack-test")
   s.add_development_dependency("test-unit")
+  s.add_development_dependency("webrick")
 end

data/test/rack_proxy_test.rb

@@ -125,4 +125,146 @@ class RackProxyTest < Test::Unit::TestCase
     get 'https://example.com/oauth2/token/info?access_token=123'
     assert !last_response.headers.key?('transfer-encoding')
   end
+
+  # Issue #58: connection errors should return 502, not raise.
+  def test_connection_refused_returns_502
+    # Bind a socket to find a free port, then close it so connection is refused.
+    server = TCPServer.new('127.0.0.1', 0)
+    closed_port = server.addr[1]
+    server.close
+
+    app({:streaming => false}).host = "127.0.0.1:#{closed_port}"
+    get '/'
+    assert_equal 502, last_response.status
+    assert_equal '', last_response.body
+  end
+
+  def test_connection_refused_returns_502_streaming
+    server = TCPServer.new('127.0.0.1', 0)
+    closed_port = server.addr[1]
+    server.close
+
+    app({:streaming => true}).host = "127.0.0.1:#{closed_port}"
+    get '/'
+    assert_equal 502, last_response.status
+    assert_equal '', last_response.body
+  end
+
+  def test_unknown_host_returns_502
+    app({:streaming => false}).host = 'no-such-host.invalid'
+    get '/'
+    assert_equal 502, last_response.status
+  end
+
+  # Issues #122/#123: body should be [] for empty responses and for status
+  # codes that don't allow an entity body (1xx, 204, 304).
+  def test_no_entity_body_for_204
+    with_webrick_proxy(streaming: false) do |port, proxy|
+      proxy.host = "127.0.0.1:#{port}"
+      get '/no-content'
+      assert_equal 204, last_response.status
+      assert_equal '', last_response.body
+    end
+  end
+
+  def test_no_entity_body_for_304
+    with_webrick_proxy(streaming: false) do |port, proxy|
+      proxy.host = "127.0.0.1:#{port}"
+      get '/not-modified'
+      assert_equal 304, last_response.status
+      assert_equal '', last_response.body
+    end
+  end
+
+  def test_empty_body_is_not_array_with_empty_string
+    with_webrick_proxy(streaming: false) do |port, proxy|
+      proxy.host = "127.0.0.1:#{port}"
+      get '/empty'
+      assert_equal 200, last_response.status
+      assert_equal '', last_response.body
+    end
+  end
+
+  # Issue #65: header values must be strings, not single-element arrays,
+  # for both streaming and non-streaming paths.
+  def test_header_values_are_strings_streaming
+    assert_no_array_header_values(streaming: true)
+  end
+
+  def test_header_values_are_strings_non_streaming
+    assert_no_array_header_values(streaming: false)
+  end
+
+  # Issue #113: SSL cert verification must default to VERIFY_PEER (Ruby's
+  # Net::HTTP default), not VERIFY_NONE.
+  def test_ssl_default_is_verify_peer
+    proxy = Rack::Proxy.new
+    assert_nil proxy.instance_variable_get(:@verify_mode),
+      "@verify_mode should be unset by default so VERIFY_PEER applies at request time"
+  end
+
+  def test_ssl_verify_none_opt_in
+    proxy = Rack::Proxy.new(ssl_verify_none: true)
+    assert_equal OpenSSL::SSL::VERIFY_NONE, proxy.instance_variable_get(:@verify_mode)
+  end
+
+  def test_explicit_verify_mode_wins_over_ssl_verify_none
+    proxy = Rack::Proxy.new(ssl_verify_none: true, verify_mode: OpenSSL::SSL::VERIFY_PEER)
+    assert_equal OpenSSL::SSL::VERIFY_PEER, proxy.instance_variable_get(:@verify_mode)
+  end
+
+  def test_https_default_rejects_invalid_certificate
+    # self-signed cert on a public test host should be rejected with the new default
+    app({:streaming => false}).host = 'self-signed.badssl.com'
+    error = assert_raise(OpenSSL::SSL::SSLError) { get 'https://example.com/' }
+    assert_match(/certificate verify failed/, error.message)
+  end
+
+  def test_https_with_ssl_verify_none_accepts_invalid_certificate
+    app({:streaming => false, :ssl_verify_none => true}).host = 'self-signed.badssl.com'
+    get 'https://example.com/'
+    assert last_response.ok?
+  end
+
+  private
+
+  def assert_no_array_header_values(streaming:)
+    with_webrick_proxy(streaming: streaming) do |port, proxy|
+      proxy.host = "127.0.0.1:#{port}"
+      get '/echo-headers'
+      array_valued = last_response.headers.select { |_, v| v.is_a?(Array) }
+      assert_empty array_valued,
+        "expected no Array-valued headers (#65), got: #{array_valued.inspect}"
+      assert_equal 'value-here', last_response['x-custom']
+    end
+  end
+
+
+  # Spin up a tiny WEBrick server with fixed routes so we can exercise the
+  # proxy against real Net::HTTP requests without depending on a remote host.
+  def with_webrick_proxy(streaming:)
+    require 'webrick'
+    server = WEBrick::HTTPServer.new(
+      Port: 0,
+      BindAddress: '127.0.0.1',
+      Logger: WEBrick::Log.new(File::NULL),
+      AccessLog: []
+    )
+    server.mount_proc('/no-content')   { |_req, res| res.status = 204 }
+    server.mount_proc('/not-modified') { |_req, res| res.status = 304 }
+    server.mount_proc('/empty')        { |_req, res| res.body = '' }
+    server.mount_proc('/echo-headers') do |_req, res|
+      res['x-custom'] = 'value-here'
+      res.body = 'ok'
+    end
+    Thread.new { server.start }
+    port = server.config[:Port]
+
+    proxy = HostProxy.new(streaming: streaming)
+    @app = proxy
+    yield port, proxy
+  ensure
+    server&.shutdown
+    @app = nil
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-proxy
 version: !ruby/object:Gem::Version
-  version: 0.7.8
+  version: 0.8.0
 platform: ruby
 authors:
 - Jacek Becela
@@ -51,6 +51,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A Rack app that provides request/response rewriting proxy capabilities
   with streaming.
 email: