kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/config/initializers/trusted_proxies.rb

34 lines
1.2 KiB
Ruby
Raw Normal View History

Make Rack::Request use our trusted proxies when filtering IP addresses This allows us to control the trusted proxies while deployed in a private network. Normally Rack::Request will trust all private IPs as trusted proxies, which can caue problems if your users are connection on you network via private IP ranges. Normally in a rails app this is handled by action_dispatch request, but rack_attack is specifically using the Rack::Request object instead.
2016-06-27 15:43:28 -04:00
# Override Rack::Request to make use of the same list of trusted_proxies
# as the ActionDispatch::Request object. This is necessary for libraries
# like rack_attack where they don't use ActionDispatch, and we want them
# to block/throttle requests on private networks.
Enable Layout/TrailingWhitespace cop and auto-correct offenses
2017-08-15 13:44:37 -04:00
# Rack Attack specific issue: https://github.com/kickstarter/rack-attack/issues/145
Make Rack::Request use our trusted proxies when filtering IP addresses This allows us to control the trusted proxies while deployed in a private network. Normally Rack::Request will trust all private IPs as trusted proxies, which can caue problems if your users are connection on you network via private IP ranges. Normally in a rails app this is handled by action_dispatch request, but rack_attack is specifically using the Rack::Request object instead.
2016-06-27 15:43:28 -04:00
module Rack
class Request
def trusted_proxy?(ip)
Rails.application.config.action_dispatch.trusted_proxies.any? { |proxy| proxy === ip }
Ignore invalid IPs in X-Forwarded-For when trusted proxies are configured.
2016-07-31 15:36:11 -04:00
rescue IPAddr::InvalidAddressError
false
Make Rack::Request use our trusted proxies when filtering IP addresses This allows us to control the trusted proxies while deployed in a private network. Normally Rack::Request will trust all private IPs as trusted proxies, which can caue problems if your users are connection on you network via private IP ranges. Normally in a rails app this is handled by action_dispatch request, but rack_attack is specifically using the Rack::Request object instead.
2016-06-27 15:43:28 -04:00
end
end
end
Ignore invalid trusted proxies in X-Forwarded-For header Certain reverse proxies can send invalid IP addresses in the X-Forwarded-For header For example, Apache can send (null). Closes #20194
2016-07-24 00:01:23 -04:00
gitlab_trusted_proxies = Array(Gitlab.config.gitlab.trusted_proxies).map do |proxy|
Run rubocop -a
2019-03-13 09:42:43 -04:00
IPAddr.new(proxy)
rescue IPAddr::InvalidAddressError
Ignore invalid trusted proxies in X-Forwarded-For header Certain reverse proxies can send invalid IP addresses in the X-Forwarded-For header For example, Apache can send (null). Closes #20194
2016-07-24 00:01:23 -04:00
end.compact
Pass trusted_proxies to action_dispatch as IPAddrs instead of strings Without this setting your own trusted_proxies does not work.
2016-04-28 15:05:45 -04:00
Rails.application.config.action_dispatch.trusted_proxies = (
Enable Style/SpaceInsideBrackets
2017-02-21 18:33:53 -05:00
['127.0.0.1', '::1'] + gitlab_trusted_proxies)
[Rails5] Fix trusted proxies There is a bug in trusted proxies: https://github.com/rails/rails/issues/5223 This commit adds a monkey patch to fix the bug. Example of errors: ``` 1) trusted_proxies with default config preserves private IPs Failure/Error: expect(request.ip).to eq('10.1.5.89') expected: "10.1.5.89" got: nil (compared using ==) # ./spec/initializers/trusted_proxies_spec.rb:12:in `block (3 levels) in <top (required)>' 2) trusted_proxies with default config filters out localhost Failure/Error: expect(request.ip).to eq('10.1.5.89') expected: "10.1.5.89" got: "1.1.1.1" (compared using ==) # ./spec/initializers/trusted_proxies_spec.rb:18:in `block (3 levels) in <top (required)>' ```
2018-05-03 05:14:20 -04:00
# A monkey patch to make trusted proxies work with Rails 5.0.
# Inspired by https://github.com/rails/rails/issues/5223#issuecomment-263778719
# Remove this monkey patch when upstream is fixed.
Remove rails 4 support in CI, Gemfiles, bin/ and config/
2018-12-07 13:15:06 -05:00
module TrustedProxyMonkeyPatch
def ip
@ip ||= (get_header("action_dispatch.remote_ip") || super).to_s
[Rails5] Fix trusted proxies There is a bug in trusted proxies: https://github.com/rails/rails/issues/5223 This commit adds a monkey patch to fix the bug. Example of errors: ``` 1) trusted_proxies with default config preserves private IPs Failure/Error: expect(request.ip).to eq('10.1.5.89') expected: "10.1.5.89" got: nil (compared using ==) # ./spec/initializers/trusted_proxies_spec.rb:12:in `block (3 levels) in <top (required)>' 2) trusted_proxies with default config filters out localhost Failure/Error: expect(request.ip).to eq('10.1.5.89') expected: "10.1.5.89" got: "1.1.1.1" (compared using ==) # ./spec/initializers/trusted_proxies_spec.rb:18:in `block (3 levels) in <top (required)>' ```
2018-05-03 05:14:20 -04:00
end
end
Remove rails 4 support in CI, Gemfiles, bin/ and config/
2018-12-07 13:15:06 -05:00
ActionDispatch::Request.send(:include, TrustedProxyMonkeyPatch)
Copy permalink