Skip to content

Commit d1e19d8

Browse files
authored
Merge pull request NCCE#7 from NCCE/block-heroku-access
Block Heroku domain access
2 parents 3ac68ba + d02604e commit d1e19d8

File tree

5 files changed

+137
-33
lines changed

5 files changed

+137
-33
lines changed

Gemfile

Lines changed: 8 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -3,31 +3,17 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
33

44
ruby '2.5.3'
55

6-
# Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
7-
gem 'rails', '~> 5.2.1'
8-
# Use Puma as the app server
6+
gem 'bootsnap', '>= 1.1.0', require: false
7+
gem 'cloudflare-rails', '~> 0.4.0'
8+
gem 'htmlentities', '~> 4.3'
9+
gem 'nokogiri', '~> 1.8'
10+
gem 'pg', '~> 1.1'
911
gem 'puma', '~> 3.11'
10-
# Use SCSS for stylesheets
12+
gem 'rails', '~> 5.2.1'
1113
gem 'sass-rails', '~> 5.0'
12-
# Use Uglifier as compressor for JavaScript assets
13-
gem 'uglifier', '>= 1.3.0'
14-
# See https://github.com/rails/execjs#readme for more supported runtimes
15-
# gem 'mini_racer', platforms: :ruby
16-
# Turbolinks makes navigating your web application faster. Read more: https://github.com/turbolinks/turbolinks
1714
gem 'turbolinks', '~> 5'
18-
# Use Redis adapter to run Action Cable in production
19-
# gem 'redis', '~> 4.0'
20-
# Use ActiveModel has_secure_password
21-
# gem 'bcrypt', '~> 3.1.7'
22-
23-
# Use ActiveStorage variant
24-
# gem 'mini_magick', '~> 4.8'
25-
26-
# Use Capistrano for deployment
27-
# gem 'capistrano-rails', group: :development
28-
29-
# Reduces boot times through caching; required in config/boot.rb
30-
gem 'bootsnap', '>= 1.1.0', require: false
15+
gem 'uglifier', '>= 1.3.0'
16+
gem 'rack-attack', '~> 5.4.2'
3117

3218
group :development, :test do
3319
# Call 'byebug' anywhere in the code to stop execution and get a debugger console
@@ -39,23 +25,14 @@ group :development do
3925
# Access an interactive console on exception pages or by calling 'console' anywhere in the code.
4026
gem 'web-console', '>= 3.3.0'
4127
gem 'listen', '>= 3.0.5', '< 3.2'
42-
# Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
4328
gem 'spring'
4429
gem 'spring-watcher-listen', '~> 2.0.0'
4530
end
4631

4732
group :test do
48-
# Adds support for Capybara system testing and selenium driver
4933
gem 'capybara', '>= 2.15'
5034
gem 'selenium-webdriver'
51-
# Easy installation and use of chromedriver to run system tests with Chrome
5235
gem 'chromedriver-helper'
5336
end
5437

55-
# Windows does not include zoneinfo files, so bundle the tzinfo-data gem
5638
gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
57-
58-
gem "pg", "~> 1.1"
59-
60-
gem "htmlentities", "~> 4.3"
61-
gem "nokogiri", "~> 1.8"

Gemfile.lock

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,9 @@ GEM
6565
chromedriver-helper (2.1.0)
6666
archive-zip (~> 0.10)
6767
nokogiri (~> 1.8)
68+
cloudflare-rails (0.4.0)
69+
httparty
70+
rails (~> 5.0)
6871
concurrent-ruby (1.1.2)
6972
crass (1.0.4)
7073
dotenv (2.5.0)
@@ -77,6 +80,9 @@ GEM
7780
globalid (0.4.1)
7881
activesupport (>= 4.2.0)
7982
htmlentities (4.3.4)
83+
httparty (0.16.3)
84+
mime-types (~> 3.0)
85+
multi_xml (>= 0.5.2)
8086
i18n (1.1.1)
8187
concurrent-ruby (~> 1.0)
8288
io-like (0.3.0)
@@ -92,18 +98,24 @@ GEM
9298
marcel (0.3.3)
9399
mimemagic (~> 0.3.2)
94100
method_source (0.9.1)
101+
mime-types (3.2.2)
102+
mime-types-data (~> 3.2015)
103+
mime-types-data (3.2018.0812)
95104
mimemagic (0.3.2)
96105
mini_mime (1.0.1)
97106
mini_portile2 (2.3.0)
98107
minitest (5.11.3)
99108
msgpack (1.2.4)
109+
multi_xml (0.6.0)
100110
nio4r (2.3.1)
101111
nokogiri (1.8.5)
102112
mini_portile2 (~> 2.3.0)
103113
pg (1.1.3)
104114
public_suffix (3.0.3)
105115
puma (3.12.0)
106116
rack (2.0.6)
117+
rack-attack (5.4.2)
118+
rack (>= 1.0, < 3)
107119
rack-test (1.1.0)
108120
rack (>= 1.0, < 3)
109121
rails (5.2.1)
@@ -151,7 +163,6 @@ GEM
151163
selenium-webdriver (3.141.0)
152164
childprocess (~> 0.5)
153165
rubyzip (~> 1.2, >= 1.2.2)
154-
socksify (1.7.1)
155166
spring (2.0.2)
156167
activesupport (>= 4.2)
157168
spring-watcher-listen (2.0.1)
@@ -193,16 +204,17 @@ DEPENDENCIES
193204
byebug
194205
capybara (>= 2.15)
195206
chromedriver-helper
207+
cloudflare-rails (~> 0.4.0)
196208
dotenv-rails
197209
htmlentities (~> 4.3)
198210
listen (>= 3.0.5, < 3.2)
199211
nokogiri (~> 1.8)
200212
pg (~> 1.1)
201213
puma (~> 3.11)
214+
rack-attack (~> 5.4.2)
202215
rails (~> 5.2.1)
203216
sass-rails (~> 5.0)
204217
selenium-webdriver
205-
socksify (~> 1.7)
206218
spring
207219
spring-watcher-listen (~> 2.0.0)
208220
turbolinks (~> 5)

config/environments/production.rb

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,4 +91,6 @@
9191

9292
# Do not dump schema after migrations.
9393
config.active_record.dump_schema_after_migration = false
94+
95+
config.middleware.use Rack::Attack
9496
end

config/environments/staging.rb

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
Rails.application.configure do
2+
# Settings specified here will take precedence over those in config/application.rb.
3+
4+
# Code is not reloaded between requests.
5+
config.cache_classes = true
6+
7+
# Eager load code on boot. This eager loads most of Rails and
8+
# your application in memory, allowing both threaded web servers
9+
# and those relying on copy on write to perform better.
10+
# Rake tasks automatically ignore this option for performance.
11+
config.eager_load = true
12+
13+
# Full error reports are disabled and caching is turned on.
14+
config.consider_all_requests_local = false
15+
config.action_controller.perform_caching = true
16+
17+
# Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
18+
# or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
19+
# config.require_master_key = true
20+
21+
# Disable serving static files from the `/public` folder by default since
22+
# Apache or NGINX already handles this.
23+
config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
24+
25+
# Compress JavaScripts and CSS.
26+
config.assets.js_compressor = :uglifier
27+
# config.assets.css_compressor = :sass
28+
29+
# Do not fallback to assets pipeline if a precompiled asset is missed.
30+
config.assets.compile = false
31+
32+
# `config.assets.precompile` and `config.assets.version` have moved to config/initializers/assets.rb
33+
34+
# Enable serving of images, stylesheets, and JavaScripts from an asset server.
35+
# config.action_controller.asset_host = 'http://assets.example.com'
36+
37+
# Specifies the header that your server uses for sending files.
38+
# config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
39+
# config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
40+
41+
# Store uploaded files on the local file system (see config/storage.yml for options)
42+
config.active_storage.service = :local
43+
44+
# Mount Action Cable outside main process or domain
45+
# config.action_cable.mount_path = nil
46+
# config.action_cable.url = 'wss://example.com/cable'
47+
# config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
48+
49+
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
50+
# config.force_ssl = true
51+
52+
# Use the lowest log level to ensure availability of diagnostic information
53+
# when problems arise.
54+
config.log_level = :debug
55+
56+
# Prepend all log lines with the following tags.
57+
config.log_tags = [ :request_id ]
58+
59+
# Use a different cache store in production.
60+
# config.cache_store = :mem_cache_store
61+
62+
# Use a real queuing backend for Active Job (and separate queues per environment)
63+
# config.active_job.queue_adapter = :resque
64+
# config.active_job.queue_name_prefix = "project_#{Rails.env}"
65+
66+
config.action_mailer.perform_caching = false
67+
68+
# Ignore bad email addresses and do not raise email delivery errors.
69+
# Set this to true and configure the email server for immediate delivery to raise delivery errors.
70+
# config.action_mailer.raise_delivery_errors = false
71+
72+
# Enable locale fallbacks for I18n (makes lookups for any locale fall back to
73+
# the I18n.default_locale when a translation cannot be found).
74+
config.i18n.fallbacks = true
75+
76+
# Send deprecation notices to registered listeners.
77+
config.active_support.deprecation = :notify
78+
79+
# Use default logging formatter so that PID and timestamp are not suppressed.
80+
config.log_formatter = ::Logger::Formatter.new
81+
82+
# Use a different logger for distributed setups.
83+
# require 'syslog/logger'
84+
# config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name')
85+
86+
if ENV["RAILS_LOG_TO_STDOUT"].present?
87+
logger = ActiveSupport::Logger.new(STDOUT)
88+
logger.formatter = config.log_formatter
89+
config.logger = ActiveSupport::TaggedLogging.new(logger)
90+
end
91+
92+
# Do not dump schema after migrations.
93+
config.active_record.dump_schema_after_migration = false
94+
95+
config.middleware.use Rack::Attack
96+
end

config/initializers/rack_attack.rb

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
# When hosted on Heroku set ENV["REJECT_UNPROXIED_REQUESTS"] to TRUE to prevent responding to requests via *.herokuapp.com domain
2+
class Rack::Attack
3+
if ENV['REJECT_UNPROXIED_REQUESTS']
4+
blocklist('block non-proxied requests in staging & production') do |request|
5+
raw_ip = request.get_header('HTTP_X_FORWARDED_FOR')
6+
ip_addresses = raw_ip ? raw_ip.strip.split(/[,\s]+/) : []
7+
proxy_ip = ip_addresses.last
8+
9+
if !(request.host =~ /heroku/) && ::Rails.application.config.cloudflare.ips.any?{ |proxy| proxy === proxy_ip }
10+
false
11+
else
12+
::Rails.logger.warn "Rack Attack IP Filtering: blocked request from #{proxy_ip} to #{request.url}"
13+
true
14+
end
15+
end
16+
end
17+
end

0 commit comments

Comments
 (0)