summaryrefslogtreecommitdiff
path: root/config/initializers/trusted_proxies.rb
blob: ca2eed664ed390f55f583da02a2bc11a96353cd4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Override Rack::Request to make use of the same list of trusted_proxies
# as the ActionDispatch::Request object. This is necessary for libraries
# like rack_attack where they don't use ActionDispatch, and we want them
# to block/throttle requests on private networks.
# Rack Attack specific issue: https://github.com/kickstarter/rack-attack/issues/145
module Rack
  class Request
    def trusted_proxy?(ip)
      Rails.application.config.action_dispatch.trusted_proxies.any? { |proxy| proxy === ip }
    rescue IPAddr::InvalidAddressError
      false
    end
  end
end

gitlab_trusted_proxies = Array(Gitlab.config.gitlab.trusted_proxies).map do |proxy|
  begin
    IPAddr.new(proxy)
  rescue IPAddr::InvalidAddressError
  end
end.compact

Rails.application.config.action_dispatch.trusted_proxies = (
  ['127.0.0.1', '::1'] + gitlab_trusted_proxies)

# A monkey patch to make trusted proxies work with Rails 5.0.
# Inspired by https://github.com/rails/rails/issues/5223#issuecomment-263778719
# Remove this monkey patch when upstream is fixed.
if Gitlab.rails5?
  module TrustedProxyMonkeyPatch
    def ip
      @ip ||= (get_header("action_dispatch.remote_ip") || super).to_s
    end
  end

  ActionDispatch::Request.send(:include, TrustedProxyMonkeyPatch)
end