Make Rack::Request use our trusted proxies when filtering IP addresses
What does this MR do?
This allows us to control the trusted proxies while deployed in a private network.
Are there points in the code the reviewer needs to double check?
If we want to limit what is impacted, we can do this specifically for the rack_attack request object.
Why was this MR needed?
Normally Rack::Request will trust all private IPs as trusted proxies, which can cause problems if your users are connection on you network via private IP ranges.
Normally in a rails app this is handled by action_dispatch request, but rack_attack is specifically using the Rack::Request object instead.
What are the relevant issue numbers?
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17550
Does this MR meet the acceptance criteria?
-
CHANGELOG entry added -
Documentation created/updated -
API support added - Tests
-
Added for this feature/bug -
All builds are passing
-
-
Conform by the style guides -
Branch has no merge conflicts with master(if you do - rebase it please) -
Squashed related commits together
\cc @stanhu
Merge request reports
Activity
@brodock Miniboss!
Some information how X-Forward-For works, for the endboss. Documentation on how rack request ip works: http://www.rubydoc.info/gems/rack/Rack/Request#ip-instance_method
I should be a good idea to add an extra comment to the monkey patch linking to the issue: https://github.com/kickstarter/rack-attack/issues/145 so we don't forget in the future to remove it.
@twk3 code/specs looks good, please rebase to fix the merge-conflict :)
Marked the task CHANGELOG entry added as completed
Marked the task Conform by the style guides as completed
@brodock rebased and added comment to the rack-attack issue
Reassigned to @DouweM
thanks @twk3 :)
mentioned in commit 8a245b80
