From ef92a3016ed6cc561959ae696fa6e0d5b6f0603d Mon Sep 17 00:00:00 2001 From: aki Date: Tue, 7 Nov 2023 17:54:06 +0900 Subject: [PATCH 1/4] =?UTF-8?q?refactor:=20ActionDispatch::Request#remote?= =?UTF-8?q?=5Fip=E3=82=92=E4=BD=BF=E3=81=A3=E3=81=A6=E5=88=A4=E5=AE=9A?= =?UTF-8?q?=E3=81=99=E3=82=8B=E3=82=88=E3=81=86=E3=81=AB=20(close=20#11)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/sg_fargate_rails/maintenance.rb | 4 ++-- lib/sg_fargate_rails/railtie.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/sg_fargate_rails/maintenance.rb b/lib/sg_fargate_rails/maintenance.rb index a1ee4db..2c2f3cb 100644 --- a/lib/sg_fargate_rails/maintenance.rb +++ b/lib/sg_fargate_rails/maintenance.rb @@ -9,7 +9,7 @@ def initialize(app, options = {}) end def call(env) - if maintenance_mode?(env) && !public_file_access?(env) && !proxy_access?(Rack::Request.new(env)) + if maintenance_mode?(env) && !public_file_access?(env) && !proxy_access?(ActionDispatch::Request.new(env)) headers = { 'Content-Type' => 'text/html' } [503, headers, File.open(maintenance_file_path)] else @@ -38,7 +38,7 @@ def maintenance_file_path end def proxy_access?(req) - SgFargateRails.config.proxy_access?(req.ip) || req.forwarded_for&.any? { |forwarded_for| SgFargateRails.config.proxy_access?(forwarded_for) } + SgFargateRails.config.proxy_access?(req.remote_ip) end end end diff --git a/lib/sg_fargate_rails/railtie.rb b/lib/sg_fargate_rails/railtie.rb index 712d2e5..3aae5c2 100644 --- a/lib/sg_fargate_rails/railtie.rb +++ b/lib/sg_fargate_rails/railtie.rb @@ -14,8 +14,8 @@ class Railtie < ::Rails::Railtie unless ::Rails.env.in?(%w[development test]) app.config.middleware.insert 0, SgFargateRails::AdjustCloudfrontHeaders app.config.middleware.insert 1, SgFargateRails::Healthcheck - app.config.middleware.insert 2, SgFargateRails::Maintenance app.config.middleware.swap ActionDispatch::RemoteIp, SgFargateRails::RemoteIp, app.config.action_dispatch.ip_spoofing_check, app.config.action_dispatch.trusted_proxies + app.config.middleware.insert_after SgFargateRails::RemoteIp, SgFargateRails::Maintenance end ActiveSupport.on_load(:good_job_application_controller) do From 1a93f398724d5c4cceb71531d0a0f6cb59912e37 Mon Sep 17 00:00:00 2001 From: aki Date: Tue, 7 Nov 2023 17:57:10 +0900 Subject: [PATCH 2/4] =?UTF-8?q?refactor:=20middleware=E3=82=92=E6=9C=89?= =?UTF-8?q?=E5=8A=B9=E3=81=A8=E3=81=99=E3=82=8B=E7=92=B0=E5=A2=83=E3=82=92?= =?UTF-8?q?=E8=A8=AD=E5=AE=9A=E5=8F=AF=E8=83=BD=E3=81=AB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/sg_fargate_rails/config.rb | 2 ++ lib/sg_fargate_rails/railtie.rb | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/sg_fargate_rails/config.rb b/lib/sg_fargate_rails/config.rb index 0996dc7..597606a 100644 --- a/lib/sg_fargate_rails/config.rb +++ b/lib/sg_fargate_rails/config.rb @@ -1,6 +1,7 @@ module SgFargateRails class Config attr_reader :proxy_ip_addresses + attr_accessor :middleware_enabled_rails_envs # NOTE: good_jobダッシュボードへのアクセスをproxy経由のアクセスに制限するかどうか attr_accessor :restrict_access_to_good_job_dashboard @@ -8,6 +9,7 @@ class Config def initialize self.proxy_ip_addresses = ENV['SG_PROXY_IP_ADDRESSES'] self.restrict_access_to_good_job_dashboard = Rails.env.production? + self.middleware_enabled_rails_envs = %w[production staging] end def proxy_ip_addresses=(ip_addresses) diff --git a/lib/sg_fargate_rails/railtie.rb b/lib/sg_fargate_rails/railtie.rb index 3aae5c2..4110b5a 100644 --- a/lib/sg_fargate_rails/railtie.rb +++ b/lib/sg_fargate_rails/railtie.rb @@ -11,7 +11,7 @@ class Railtie < ::Rails::Railtie end initializer :initialize_sg_fargate_rails do |app| - unless ::Rails.env.in?(%w[development test]) + if SgFargateRails.config.middleware_enabled_rails_envs.include?(Rails.env) app.config.middleware.insert 0, SgFargateRails::AdjustCloudfrontHeaders app.config.middleware.insert 1, SgFargateRails::Healthcheck app.config.middleware.swap ActionDispatch::RemoteIp, SgFargateRails::RemoteIp, app.config.action_dispatch.ip_spoofing_check, app.config.action_dispatch.trusted_proxies From 4101c7a486992ab8bd569598a3a74ed5861d85f5 Mon Sep 17 00:00:00 2001 From: aki Date: Tue, 7 Nov 2023 18:10:35 +0900 Subject: [PATCH 3/4] =?UTF-8?q?fix:=20=E5=88=9D=E6=9C=9F=E5=8C=96=E3=81=AE?= =?UTF-8?q?=E3=82=BF=E3=82=A4=E3=83=9F=E3=83=B3=E3=82=B0=E8=AA=BF=E6=95=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/sg_fargate_rails/railtie.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/sg_fargate_rails/railtie.rb b/lib/sg_fargate_rails/railtie.rb index 4110b5a..19af7e1 100644 --- a/lib/sg_fargate_rails/railtie.rb +++ b/lib/sg_fargate_rails/railtie.rb @@ -10,7 +10,7 @@ class Railtie < ::Rails::Railtie load File.expand_path('../tasks/sg_fargate_rails.rake', __dir__) end - initializer :initialize_sg_fargate_rails do |app| + initializer :initialize_sg_fargate_rails, after: :load_config_initializers do |app| if SgFargateRails.config.middleware_enabled_rails_envs.include?(Rails.env) app.config.middleware.insert 0, SgFargateRails::AdjustCloudfrontHeaders app.config.middleware.insert 1, SgFargateRails::Healthcheck From 8fcd0c2eb9e46dcea5e69da172829dd9eab04489 Mon Sep 17 00:00:00 2001 From: aki Date: Wed, 8 Nov 2023 09:53:49 +0900 Subject: [PATCH 4/4] refactor: middleware_enabled_rails_envs to middleware_enabled --- lib/sg_fargate_rails/config.rb | 4 ++-- lib/sg_fargate_rails/railtie.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/sg_fargate_rails/config.rb b/lib/sg_fargate_rails/config.rb index 597606a..5739e67 100644 --- a/lib/sg_fargate_rails/config.rb +++ b/lib/sg_fargate_rails/config.rb @@ -1,7 +1,7 @@ module SgFargateRails class Config attr_reader :proxy_ip_addresses - attr_accessor :middleware_enabled_rails_envs + attr_accessor :middleware_enabled # NOTE: good_jobダッシュボードへのアクセスをproxy経由のアクセスに制限するかどうか attr_accessor :restrict_access_to_good_job_dashboard @@ -9,7 +9,7 @@ class Config def initialize self.proxy_ip_addresses = ENV['SG_PROXY_IP_ADDRESSES'] self.restrict_access_to_good_job_dashboard = Rails.env.production? - self.middleware_enabled_rails_envs = %w[production staging] + self.middleware_enabled = !Rails.env.development? && !Rails.env.test? end def proxy_ip_addresses=(ip_addresses) diff --git a/lib/sg_fargate_rails/railtie.rb b/lib/sg_fargate_rails/railtie.rb index 19af7e1..53d3439 100644 --- a/lib/sg_fargate_rails/railtie.rb +++ b/lib/sg_fargate_rails/railtie.rb @@ -11,7 +11,7 @@ class Railtie < ::Rails::Railtie end initializer :initialize_sg_fargate_rails, after: :load_config_initializers do |app| - if SgFargateRails.config.middleware_enabled_rails_envs.include?(Rails.env) + if SgFargateRails.config.middleware_enabled app.config.middleware.insert 0, SgFargateRails::AdjustCloudfrontHeaders app.config.middleware.insert 1, SgFargateRails::Healthcheck app.config.middleware.swap ActionDispatch::RemoteIp, SgFargateRails::RemoteIp, app.config.action_dispatch.ip_spoofing_check, app.config.action_dispatch.trusted_proxies