remote_ip_proxy_scrubber 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 825602125d5364b1bdc70746c8c0f35e9b87410b
+  data.tar.gz: 7d62c2bca5fb334c022cd01454e714107295a511
+SHA512:
+  metadata.gz: 8dcc9c19faedf5f1530cb47709394680f66b9f7fde1dca783b899c152ea9d61d5c92a673ba35d9024239313b94611822068ff79a99dea748a5859063205fd9c5
+  data.tar.gz: 34a7c22cea7f23dd4f1d5a07b7eca37624ddf52cdffc33ebed7501838f94da46ffd50578c90e260cded104e2ac92af7f0e07d0831da0bd7d5cae43e3cff5a1b6

data/.gitignore

@@ -0,0 +1,39 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalisation:
+/.bundle/
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+.ruby-version
+.ruby-gemset
+
+# This is a gem, so don't commit the Gemfile.lock
+/Gemfile.lock

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,9 @@
+language: ruby
+rvm:
+  - 2.2.0
+  - 2.1.0
+  - 1.9.3
+  - 1.8.7
+addons:
+  code_climate:
+    repo_token: b4467c40c37d79974e72fddf47335d9cd65596e3b2cf64aeac7594a6ba12f85e

data/Gemfile

@@ -0,0 +1,7 @@
+source "https://rubygems.org"
+
+gemspec
+
+if RUBY_VERSION > "1.9"
+  gem "codeclimate-test-reporter", :group => :test, :require => nil
+end

data/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Marcos Wright-Kuhns
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

data/README.md

@@ -0,0 +1,50 @@
+[![Build Status](https://travis-ci.org/metavida/remote_ip_proxy_scrubber.svg?branch=master)](https://travis-ci.org/metavida/remote_ip_proxy_scrubber)
+[![Code Climate](https://codeclimate.com/github/metavida/remote_ip_proxy_scrubber/badges/gpa.svg)](https://codeclimate.com/github/metavida/remote_ip_proxy_scrubber)
+[![Test Coverage](https://codeclimate.com/github/metavida/remote_ip_proxy_scrubber/badges/coverage.svg)](https://codeclimate.com/github/metavida/remote_ip_proxy_scrubber)
+
+# remote_ip Proxy Scrubber
+
+A project that makes it as easy as possible to prevent Rails from logging IP addresses that belong to proxy devices in your HTTP request chain.
+
+Because Rails has pretty dramatically changed how these sorts of IPs are filtered over the years, this project's ultimate goal is to make life easy on as many Rails versions as possible.
+
+# Common Use-cases
+
+* Using [CloudFlare in front of your app](https://www.cloudflare.com/ips)
+* Using [Incapsula in front of your app](https://incapsula.zendesk.com/hc/en-us/articles/200627570-Restricting-direct-access-to-your-website-Incapsula-s-IP-addresses-)
+
+# Usage
+
+Let's say you've got proxy servers running outside of the local network where your Rails app is running. In this example, we'll say the IP addresses of these proxy servers are in these IP ranges: `17.0.0.4/30`, `17.17.0.8/30`
+
+## Fixing `request.remote_ip`
+
+Without this gem, calls to `request.remote_ip` from your Rails app will return the IP addresses from your proxy servers. Adding the code, below, ensures that `request.remote_ip` will never return the IP addresses of your proxy servers, and assuming the servers that first process requests from your clients is adding an appropriate X-Forwarded-For header, `request.remote_ip` will return the real IP address of your clients!
+
+```ruby
+# Add the following to config/application.rb or conifg/environments/*.rb
+
+config.middleware.insert_before(Rails::Rack::Logger, RemoteIpProxyScrubber.filter_middleware, [
+  "17.0.0.4/30",
+  "17.17.0.8/30",
+])
+```
+
+## Fixing Rails logs
+
+**Oddly enough**, even with `request.remote_ip` returning the correct value, Rails log will *still* contain IP addresses from your proxy servers. To fix this, you'll need to tell Rails to use a different logger.
+
+```ruby
+# Add the following to config/application.rb or conifg/environments/*.rb
+
+config.middleware.insert_before(Rails::Rack::Logger, RemoteIpProxyScrubber.patched_logger)
+config.middleware.delete(Rails::Rack::Logger)
+```
+
+# Questions? Contributions?
+
+If this gem isn't working for you, feel free to open up an Issue, or a Pull Request if you've got a proposed solution! I maintain this project in my spare time, so your patience is appreciated.
+
+# Credit
+
+Thanks to [Haiku Learning](http://www.haikulearning.com) for sponsoring the initial development of this gem. We're scratching our own itch, but hopefully it's helpful for you too!

data/Rakefile

@@ -0,0 +1,7 @@
+begin
+  require "bundler/gem_tasks"
+rescue LoadError
+  puts "Bundler not available. Install it with: gem install bundler"
+end
+
+Dir[File.join(File.dirname(__FILE__), "lib/tasks/*.rake")].sort.each { |ext| load ext }

data/lib/remote_ip_proxy_scrubber.rb

@@ -0,0 +1,55 @@
+$:.unshift File.dirname(__FILE__)
+
+require 'remote_ip_proxy_scrubber/version'
+
+module RemoteIpProxyScrubber
+  # Add the following to config/application.rb or conifg/environments/*
+  #
+  #     config.middleware.insert_before(Rails::Rack::Logger, RemoteIpProxyScrubber.filter_middleware, [
+  #       "216.73.93.70/31", # www.google.com
+  #       "216.73.93.72/31", # www.google.com
+  #       "17.0.0.0/8",      # Apple
+  #     ])
+  def filter_middleware
+    require 'remote_ip_proxy_scrubber/filter_proxy_ips'
+
+    RemoteIpProxyScrubber::Rails4::FilterProxyIPs
+  end
+  module_function :filter_middleware
+
+  # Returns a Class to be used a rack middleware,
+  # replacing the existing `Rails::Rack::Logger`.
+  #
+  #     config.middleware.insert_before(Rails::Rack::Logger, RemoteIpProxyScrubber.patched_logger)
+  #     config.middleware.delete(Rails::Rack::Logger)
+  def patched_logger
+    require 'remote_ip_proxy_scrubber/remote_ip_logger'
+
+    rails_version = self.rails_version
+    if    rails_version >= Gem::Version.new('4.0.0')
+      RemoteIpProxyScrubber::Rails4::RemoteIPLogger
+    elsif rails_version >= Gem::Version.new('3.2.9')
+      RemoteIpProxyScrubber::Rails3_2_9::RemoteIPLogger
+    elsif rails_version >= Gem::Version.new('3.2.0')
+      RemoteIpProxyScrubber::Rails3_2_0::RemoteIPLogger
+    elsif rails_version >= Gem::Version.new('3.0.6')
+      RemoteIpProxyScrubber::Rails3_1::RemoteIPLogger
+    elsif rails_version >= Gem::Version.new('3.0.0')
+      RemoteIpProxyScrubber::Rails3_0::RemoteIPLogger
+    else
+      fail "Sorry, this gem doesn't know how to monkey-patch the Rails logger for Rails #{rails_version} yet."
+    end
+  end
+  module_function :patched_logger
+
+  def rails_version
+    rails_version = Rails.version rescue nil
+    rails_version ||= RAILS_GEM_VERSION rescue nil
+    if rails_version.nil?
+      fail "Unable to determine the current version of Rails"
+    end
+    Gem::Version.new(rails_version)
+  end
+  module_function :rails_version
+
+end

data/lib/remote_ip_proxy_scrubber/filter_proxy_ips.rb

@@ -0,0 +1,63 @@
+require 'ipaddr'
+
+module RemoteIpProxyScrubber
+  module Rails4
+    class FilterProxyIPs
+      X_FORWARDED_FOR = 'HTTP_X_FORWARDED_FOR'
+
+      attr_reader :proxies
+
+      def initialize(app, *proxy_matchers)
+        @app = app
+
+        @proxies = []
+
+        proxy_matchers.flatten.each do |matcher|
+          @proxies << case matcher
+          when Regexp, IPAddr
+            matcher
+          when String
+            IPAddr.new(matcher)
+          else
+            raise ArgumentError.new("Expected String, IPAddr or Regexp but found #{matcher.class} #{matcher.inspect}")
+          end
+        end
+
+      end
+
+      def call(env)
+        @env = env
+
+        ips = ips_from(X_FORWARDED_FOR)
+        @env[X_FORWARDED_FOR] = filter_proxies(ips).join(', ')
+
+        @app.call(@env)
+      end
+
+      protected
+
+      # Shamelssly copied from Rails 4.2
+      # https://github.com/rails/rails/blob/v4.2.0/actionpack/lib/action_dispatch/middleware/remote_ip.rb#L149-L168
+      def ips_from(header)
+        # Split the comma-separated list into an array of strings
+        ips = @env[header] ? @env[header].strip.split(/[,\s]+/) : []
+        ips.select do |ip|
+          begin
+            # Only return IPs that are valid according to the IPAddr#new method
+            range = IPAddr.new(ip).to_range
+            # we want to make sure nobody is sneaking a netmask in
+            range.begin == range.end
+          rescue ArgumentError
+            nil
+          end
+        end
+      end
+
+      def filter_proxies(ips)
+        ips.reject do |ip|
+          @proxies.any? { |proxy| proxy === ip }
+        end
+      end
+    end
+  end
+end

data/lib/remote_ip_proxy_scrubber/remote_ip_logger.rb

@@ -0,0 +1,87 @@
+# Simplify monkey-patching Rails logging
+# so that it logs the request.remote_ip, not just the ip
+module RemoteIpProxyScrubber
+  # Rails 3.3.0 through 4.x
+  # define the log format in Rails::Rack::Logger#started_request_message
+  # * https://github.com/rails/rails/blob/v4.2.1/railties/lib/rails/rack/logger.rb#L48-L55
+  # * https://github.com/rails/rails/blob/v4.0.0/railties/lib/rails/rack/logger.rb#L48-L55
+  module Rails4
+    class RemoteIPLogger < Rails::Rack::Logger
+      protected
+      def started_request_message(request)
+        'Started %s "%s" for %s at %s' % [
+          request.request_method,
+          request.filtered_path,
+          request.remote_ip,
+          Time.now.to_default_s ]
+      end
+    end
+  end
+  # Rails 3.2.9 through 3.2.x
+  # use the same Rails::Rack::Logger#started_request_message
+  # * https://github.com/rails/rails/blob/v3.2.21/railties/lib/rails/rack/logger.rb#L37-L44
+  # * https://github.com/rails/rails/blob/v3.2.9/railties/lib/rails/rack/logger.rb#L37-L44
+  module Rails3_2_9
+    class RemoteIPLogger < ::RemoteIpProxyScrubber::Rails4::RemoteIPLogger
+    end
+  end
+
+  # Rails 3.2.0 through 3.2.8
+  # define the log format directly in in Rails::Rack::Logger#call_app
+  # * https://github.com/rails/rails/blob/v3.2.8/railties/lib/rails/rack/logger.rb#L22-L29
+  # * https://github.com/rails/rails/blob/v3.2.0/railties/lib/rails/rack/logger.rb#L22-L29
+  module Rails3_2_0
+    class RemoteIPLogger < Rails::Rack::Logger
+      protected
+      def call_app(env)
+        request = ActionDispatch::Request.new(env)
+        path = request.filtered_path
+        Rails.logger.info "\n\nStarted #{request.request_method} \"#{path}\" for #{request.remote_ip} at #{Time.now.to_default_s}"
+        @app.call(env)
+      ensure
+        ActiveSupport::LogSubscriber.flush_all!
+      end
+    end
+  end
+
+  # Rails 3.0.6 through 3.1.X
+  # use the Rails::Rack::Logger#before_dispatch method
+  # * https://github.com/rails/rails/blob/v3.1.12/railties/lib/rails/rack/logger.rb#L20-L26
+  # * https://github.com/rails/rails/blob/v3.1.0/railties/lib/rails/rack/logger.rb#L20-L26
+  # * https://github.com/rails/rails/blob/v3.0.20/railties/lib/rails/rack/logger.rb#L20-L26
+  # * https://github.com/rails/rails/blob/v3.0.6/railties/lib/rails/rack/logger.rb#L20-L26
+  module Rails3_1
+    class RemoteIPLogger < Rails::Rack::Logger
+      protected
+      def before_dispatch(env)
+        request = ActionDispatch::Request.new(env)
+        path = request.filtered_path
+
+        info "\n\nStarted #{request.request_method} \"#{path}\" " \
+             "for #{request.remote_ip} at #{Time.now.to_default_s}"
+      end
+    end
+  end
+
+  # Rails 3.0.0 through 3.0.5
+  # also use the Rails::Rack::Logger#before_dispatch method
+  # but use a slightly different implementation
+  # Rails 3.0.0 through 3.0.3 actually are even more slightly different
+  # but I don't expect the difference to affect our functionality
+  # * https://github.com/rails/rails/blob/v3.0.5/railties/lib/rails/rack/logger.rb#L20-L26
+  # * https://github.com/rails/rails/blob/v3.0.4/railties/lib/rails/rack/logger.rb#L20-L26
+  # * https://github.com/rails/rails/blob/v3.0.3/railties/lib/rails/rack/logger.rb#L20-L26
+  # * https://github.com/rails/rails/blob/v3.0.0/railties/lib/rails/rack/logger.rb#L20-L26
+  module Rails3_0
+    class RemoteIPLogger < Rails::Rack::Logger
+      protected
+      def before_dispatch(env)
+        request = ActionDispatch::Request.new(env)
+        path = request.fullpath
+
+        info "\n\nStarted #{request.request_method} \"#{path}\" " \
+             "for #{request.remote_ip} at #{Time.now.to_default_s}"
+      end
+    end
+  end
+end

data/lib/remote_ip_proxy_scrubber/version.rb

@@ -0,0 +1,18 @@
+module RemoteIpProxyScrubber
+  class Version
+    MAJOR = 0
+    MINOR = 1
+    PATCH = 0
+    STRING = "#{MAJOR}.#{MINOR}.#{PATCH}"
+
+    class << self
+      # A String representing the current version of the OEmbed gem.
+      def inspect
+        STRING
+      end
+      alias_method :to_s, :inspect
+    end
+  end
+
+  VERSION = Version::STRING
+end

data/lib/tasks/rspec.rake

@@ -0,0 +1,5 @@
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:specs)
+
+task :default => :specs

data/remote_ip_proxy_scrubber.gemspec

@@ -0,0 +1,42 @@
+# -*- encoding: utf-8 -*-
+
+lib = File.expand_path('../lib/', __FILE__)
+$:.unshift lib unless $:.include?(lib)
+
+require 'remote_ip_proxy_scrubber/version'
+
+Gem::Specification.new do |s|
+  s.name = "remote_ip_proxy_scrubber"
+  s.version = RemoteIpProxyScrubber::Version.to_s
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Marcos Wright-Kuhns"]
+  s.date = "2015-03-20"
+  s.description = "Make it as easy as possible to prevent Rails from logging IP addresses that belong to proxy devices in your HTTP request chain."
+  s.email = "marcos@wrightkuhns.com"
+  s.homepage = "http://github.com/metavida/remote_ip_proxy_scrubber"
+  s.licenses = ["MIT"]
+
+  s.files = `git ls-files`.split("\n")
+  s.test_files = s.files.grep(%r{^(test|spec|features,integration_test)/})
+
+  s.require_paths = ["lib"]
+  s.rubygems_version = "2.4.6"
+  s.summary = "Help Rails ignore IPs for proxy devices"
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<rake>, [">= 0"])
+      s.add_development_dependency(%q<rspec>, ["~> 3.0"])
+    else
+      s.add_dependency(%q<rake>, [">= 0"])
+      s.add_dependency(%q<rspec>, ["~> 3.0"])
+    end
+  else
+    s.add_dependency(%q<rake>, [">= 0"])
+    s.add_dependency(%q<rspec>, ["~> 3.0"])
+  end
+end
+

data/spec/filter_proxy_ips_spec.rb

@@ -0,0 +1,171 @@
+require File.dirname(__FILE__) + '/../lib/remote_ip_proxy_scrubber/filter_proxy_ips'
+include SpecHelper
+
+
+# Returns an Array of input argument combinations that should always be tested
+def input_argmuent_variations
+  return @variations if @variations
+
+  @variations = []
+
+  single_args = [
+    '8.8.8.8',                # single string
+    '8.8.8.0/24',             # single string range
+    IPAddr.new('8.8.8.8'),    # single IPAddr
+    IPAddr.new('8.8.8.0/24'), # single IPAddr range
+    /8.8.8.*/,                # single Regexp
+  ]
+
+  single_args.each do |first_arg|
+    @variations << [first_arg]
+    single_args.each do |second_arg|
+      @variations << [first_arg, second_arg]
+    end
+  end
+
+  # Add a "crazy Array" variation
+  @variations << [[single_args[0], [single_args[1]]]]
+
+  @variations
+end
+
+describe RemoteIpProxyScrubber::Rails4::FilterProxyIPs do
+
+  describe ".initialize" do
+    # Test every possible variation of arguments
+    input_argmuent_variations.each do |args|
+      it "should set @proxies to an Array of Regexp and IPAddr, given #{args.inspect}" do
+        proxies = RemoteIpProxyScrubber::Rails4::FilterProxyIPs.new(:app, *args).proxies
+        expect(proxies).to be_a(Array)
+        proxies.each do |proxy|
+          expect(proxy).to be_a(Regexp).or be_a(IPAddr)
+        end
+      end
+    end
+  end
+
+  describe ".call" do
+    it "should remove a single IP with a simple String" do
+      # Given
+      app = double('app').as_null_object
+      proxy_filter = RemoteIpProxyScrubber::Rails4::FilterProxyIPs.new(app, '17.0.0.1')
+
+      # Then
+      env = double("env")
+      allow(env).to receive(:[]).with('HTTP_X_FORWARDED_FOR') { '8.8.8.8, 17.0.0.1' }
+      expect(env).to receive(:[]=).with('HTTP_X_FORWARDED_FOR', '8.8.8.8')
+
+      # When
+      proxy_filter.call(env)
+    end
+
+    it "should remove multiple IPs with a simple String" do
+      # Given
+      app = double('app').as_null_object
+      proxy_filter = RemoteIpProxyScrubber::Rails4::FilterProxyIPs.new(app, '17.0.0.1')
+
+      # Then
+      env = double("env")
+      allow(env).to receive(:[]).with('HTTP_X_FORWARDED_FOR') { '8.8.8.8, 17.0.0.1, 17.0.0.2, 17.0.0.1' }
+      expect(env).to receive(:[]=).with('HTTP_X_FORWARDED_FOR', '8.8.8.8, 17.0.0.2')
+
+      # When
+      proxy_filter.call(env)
+    end
+
+    it "should remove multiple IPs with a range String" do
+      # Given
+      app = double('app').as_null_object
+      proxy_filter = RemoteIpProxyScrubber::Rails4::FilterProxyIPs.new(app, '17.0.0.0/4')
+
+      # Then
+      env = double("env")
+      allow(env).to receive(:[]).with('HTTP_X_FORWARDED_FOR') { '8.8.8.8, 17.0.0.1, 17.0.0.2, 127.0.0.1' }
+      expect(env).to receive(:[]=).with('HTTP_X_FORWARDED_FOR', '8.8.8.8, 127.0.0.1')
+
+      # When
+      proxy_filter.call(env)
+    end
+
+    it "should remove multiple IPs with a simple IPAddr" do
+      # Given
+      app = double('app').as_null_object
+      proxy_filter = RemoteIpProxyScrubber::Rails4::FilterProxyIPs.new(app, IPAddr.new('17.0.0.1'))
+
+      # Then
+      env = double("env")
+      allow(env).to receive(:[]).with('HTTP_X_FORWARDED_FOR') { '8.8.8.8, 17.0.0.1, 17.0.0.2, 17.0.0.1' }
+      expect(env).to receive(:[]=).with('HTTP_X_FORWARDED_FOR', '8.8.8.8, 17.0.0.2')
+
+      # When
+      proxy_filter.call(env)
+    end
+
+    it "should remove multiple IPs with a range IPAddr" do
+      # Given
+      app = double('app').as_null_object
+      proxy_filter = RemoteIpProxyScrubber::Rails4::FilterProxyIPs.new(app, IPAddr.new('17.0.0.0/4'))
+
+      # Then
+      env = double("env")
+      allow(env).to receive(:[]).with('HTTP_X_FORWARDED_FOR') { '8.8.8.8, 17.0.0.1, 17.0.0.2, 127.0.0.1' }
+      expect(env).to receive(:[]=).with('HTTP_X_FORWARDED_FOR', '8.8.8.8, 127.0.0.1')
+
+      # When
+      proxy_filter.call(env)
+    end
+
+    it "should remove IPs with a Regexp" do
+      # Given
+      app = double('app').as_null_object
+      proxy_filter = RemoteIpProxyScrubber::Rails4::FilterProxyIPs.new(app, /^17\./)
+
+      # Then
+      env = double("env")
+      allow(env).to receive(:[]).with('HTTP_X_FORWARDED_FOR') { '170.0.0.1, 17.0.0.1, 9.8.7.6, 17.254.0.1' }
+      expect(env).to receive(:[]=).with('HTTP_X_FORWARDED_FOR', '170.0.0.1, 9.8.7.6')
+
+      # When
+      proxy_filter.call(env)
+    end
+
+    it "should NOT remove IPs with no proxy_matches" do
+      # Given
+      app = double('app').as_null_object
+      proxy_filter = RemoteIpProxyScrubber::Rails4::FilterProxyIPs.new(app)
+
+      # Then
+      env = double("env")
+      allow(env).to receive(:[]).with('HTTP_X_FORWARDED_FOR') { '170.0.0.1, 17.0.0.1, 9.8.7.6, 17.254.0.1' }
+      expect(env).to receive(:[]=).with('HTTP_X_FORWARDED_FOR', '170.0.0.1, 17.0.0.1, 9.8.7.6, 17.254.0.1')
+
+      # When
+      proxy_filter.call(env)
+    end
+
+    it "should silently remove invalid IPs in the header" do
+      # Given
+      app = double('app').as_null_object
+      proxy_filter = RemoteIpProxyScrubber::Rails4::FilterProxyIPs.new(app)
+
+      invalid_ips = [
+        '127.0.0.500',
+        '17.0.0.1/4',
+        '17.0.0.1/500',
+        'not an IP',
+      ]
+
+      # Then
+      env = double("env")
+      invalid_ips.each do |invalid|
+        allow(env).to receive(:[]).with('HTTP_X_FORWARDED_FOR') { "#{invalid}, 127.0.0.1" }
+        expect(env).to receive(:[]=).with('HTTP_X_FORWARDED_FOR', '127.0.0.1')
+
+        # When
+        proxy_filter.call(env)
+      end
+    end
+  end
+
+end
+

data/spec/remote_ip_proxy_scrubber_spec.rb

@@ -0,0 +1,114 @@
+require File.dirname(__FILE__) + '/../lib/remote_ip_proxy_scrubber'
+include SpecHelper
+
+# Define a few items that we'll stub out during out tests
+class Rails
+  def self.version
+    raise 'this method must be stubbed in our tests'
+  end
+  module Rack
+    class Logger
+    end
+  end
+end
+
+# Backport the Rails methods we need for testing
+class Hash
+  def reverse_merge!(other_hash)
+    replace(other_hash.merge(self))
+  end
+end
+class Array
+  def extract_options!
+    last.is_a?(::Hash) ? pop : {}
+  end
+end
+
+describe RemoteIpProxyScrubber do
+
+  describe ".patched_logger" do
+    rails_versions_to_test = {
+      :Rails4       => %w{4.0.0 4.1.10 4.3.3 5.0.0},
+      :Rails3_2_9   => %w{3.2.9 3.2.29 3.99.999},
+      :Rails3_2_0   => %w{3.2.0 3.2.8},
+      :Rails3_1     => %w{3.0.6 3.0.999 3.1.0 3.1.12 3.1.999},
+      :Rails3_0     => %w{3.0.0 3.0.5},
+    }
+
+    rails_versions_to_test.each do |expected_class, current_rails_versions|
+      expected_class_str = "RemoteIpProxyScrubber::#{expected_class}::RemoteIPLogger"
+      current_rails_versions.each do |rails_version|
+        it "should return #{expected_class_str} for Rails #{rails_version}" do
+          # Given
+          expect(Rails).to receive(:version) { rails_version }
+
+          # Then
+          expect(RemoteIpProxyScrubber.patched_logger).to \
+            be == expected_class_str.constantize
+        end
+      end
+    end
+
+    rails_versions_to_fail = %w{1.0.0 1.2.6 2.0.0 2.99.99 not.a.version}
+
+    rails_versions_to_fail.each do |rails_version|
+      it "should fail for Rails #{rails_version}" do
+        # Given
+        expect(Rails).to receive(:version) { rails_version }
+
+        # Then/When
+        expect {
+          RemoteIpProxyScrubber.patched_logger
+        }.to raise_error
+      end
+    end
+
+    it "should fail if there is no Rails version" do
+      # Given
+      expect(Rails).to receive(:version) { fail NoMethodError.new("No Rails") }
+
+      # Then/When
+      expect {
+        RemoteIpProxyScrubber.patched_logger
+      }.to raise_error
+    end
+
+  end
+
+  describe ".rails_version" do
+    it "should prefer Rails.version if available" do
+      # Given
+      expected_version    = Gem::Version.new('0.0.1')
+      unexpected_version  = Gem::Version.new('0.0.2')
+      expect(Rails).to receive(:version) { expected_version.to_s }
+      redefine_const(Object, :RAILS_GEM_VERSION, unexpected_version.to_s) do
+
+        # Then
+        expect(RemoteIpProxyScrubber.rails_version).to be == expected_version
+      end
+    end
+
+    it "should use RAILS_VERSION if Rails.version isn't available" do
+      # Given
+      expected_version    = Gem::Version.new('0.0.1')
+      expect(Rails).to receive(:version) { fail NoMethodError.new("No Rails") }
+      redefine_const(Object, :RAILS_GEM_VERSION, expected_version.to_s) do
+
+        # Then
+        expect(RemoteIpProxyScrubber.rails_version).to be == expected_version
+      end
+    end
+
+    it "should fail if it can't figure out the version" do
+      # Given
+      expect(Rails).to receive(:version) { nil }
+      redefine_const(Object, :RAILS_GEM_VERSION, nil) do
+
+        # Then
+        expect {
+          RemoteIpProxyScrubber.rails_version
+        }.to raise_error
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,142 @@
+# Conventionally, all specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+
+begin
+  require "codeclimate-test-reporter"
+  CodeClimate::TestReporter.start
+rescue LoadError # Don't fail hard if this gem isn't installed
+end
+
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+  #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end
+
+module SpecHelper
+  # Sets $VERBOSE to nil for the duration of the block and back to its original value afterwards.
+  #
+  #   silence_warnings do
+  #     value = noisy_call # no warning voiced
+  #   end
+  #
+  #   noisy_call # warning voiced
+  def silence_warnings
+    old_verbose, $VERBOSE = $VERBOSE, nil
+    yield
+  ensure
+    $VERBOSE = old_verbose
+  end
+
+  # Redefine a constant within this block. For Example:
+  #   class Apache
+  #     CONF_DIR = '/etc/httpd/conf'
+  #   end
+  #
+  #   puts Apache::CONF_DIR #=> '/etc/httpd/conf'
+  #   redefine_const(Apache, :CONF_DIR, '/apache/conf') do
+  #     puts Apache::CONF_DIR #=> '/apache/conf'
+  #   end
+  #   puts Apache::CONF_DIR #=> '/etc/httpd/conf'
+  def redefine_const(klass, name, value)
+    old_value = klass.const_get(name) rescue nil
+    silence_warnings { klass.const_set(name, value) }
+    yield
+  ensure
+    silence_warnings { klass.const_set(name, old_value) }
+  end
+end
+
+class String
+  if RUBY_VERSION >= '2.0.0'
+    def constantize
+      Kernel.const_get(self)
+    end
+  else
+    def constantize
+      Object.module_eval("::#{self}", __FILE__, __LINE__)
+    end
+  end
+end

metadata

@@ -0,0 +1,91 @@
+--- !ruby/object:Gem::Specification
+name: remote_ip_proxy_scrubber
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Marcos Wright-Kuhns
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-03-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: Make it as easy as possible to prevent Rails from logging IP addresses
+  that belong to proxy devices in your HTTP request chain.
+email: marcos@wrightkuhns.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- lib/remote_ip_proxy_scrubber.rb
+- lib/remote_ip_proxy_scrubber/filter_proxy_ips.rb
+- lib/remote_ip_proxy_scrubber/remote_ip_logger.rb
+- lib/remote_ip_proxy_scrubber/version.rb
+- lib/tasks/rspec.rake
+- remote_ip_proxy_scrubber.gemspec
+- spec/filter_proxy_ips_spec.rb
+- spec/remote_ip_proxy_scrubber_spec.rb
+- spec/spec_helper.rb
+homepage: http://github.com/metavida/remote_ip_proxy_scrubber
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.6
+signing_key: 
+specification_version: 3
+summary: Help Rails ignore IPs for proxy devices
+test_files:
+- spec/filter_proxy_ips_spec.rb
+- spec/remote_ip_proxy_scrubber_spec.rb
+- spec/spec_helper.rb