summaryrefslogtreecommitdiff
path: root/config
diff options
context:
space:
mode:
authorDJ Mountney <david@twkie.net>2016-06-27 12:43:28 -0700
committerDJ Mountney <david@twkie.net>2016-06-29 21:19:55 -0700
commit860785f00757a47e0e3ace973444ba5ad6d9c174 (patch)
treec978419a88720a0637b9497de73bb76b6deea84a /config
parentb32a6add8fa602eb35648f3f4661df8b98d909cb (diff)
downloadgitlab-ce-860785f00757a47e0e3ace973444ba5ad6d9c174.tar.gz
Make Rack::Request use our trusted proxies when filtering IP addressesrack-request-trusted-proxies
This allows us to control the trusted proxies while deployed in a private network. Normally Rack::Request will trust all private IPs as trusted proxies, which can caue problems if your users are connection on you network via private IP ranges. Normally in a rails app this is handled by action_dispatch request, but rack_attack is specifically using the Rack::Request object instead.
Diffstat (limited to 'config')
-rw-r--r--config/initializers/trusted_proxies.rb13
1 files changed, 13 insertions, 0 deletions
diff --git a/config/initializers/trusted_proxies.rb b/config/initializers/trusted_proxies.rb
index d256a16d42b..df4a933e22f 100644
--- a/config/initializers/trusted_proxies.rb
+++ b/config/initializers/trusted_proxies.rb
@@ -1,3 +1,16 @@
+# Override Rack::Request to make use of the same list of trusted_proxies
+# as the ActionDispatch::Request object. This is necessary for libraries
+# like rack_attack where they don't use ActionDispatch, and we want them
+# to block/throttle requests on private networks.
+# Rack Attack specific issue: https://github.com/kickstarter/rack-attack/issues/145
+module Rack
+ class Request
+ def trusted_proxy?(ip)
+ Rails.application.config.action_dispatch.trusted_proxies.any? { |proxy| proxy === ip }
+ end
+ end
+end
+
Rails.application.config.action_dispatch.trusted_proxies = (
[ '127.0.0.1', '::1' ] + Array(Gitlab.config.gitlab.trusted_proxies)
).map { |proxy| IPAddr.new(proxy) }