rack-cloudflare_middleware
Advanced tools
This is a small Rack middleware for use with the Cloudflare CDN.
We include two middlewares:
Rack::CloudflareMiddleware::RewriteRemoteAddr swaps in CF-Connecting-IP for REMOTE_ADDR if and only if the "real" remote address is a trusted Cloudflare source IP address.Rack::CloudflareMiddleware::DenyOthers returns a 401 for all requests where REMOTE_ADDR is not CloudflareIf you're using Rails, you may want to use cloudflare-rails instead.
This library uses Faraday to dynamically update the list of trusted remote IPs every few hours, and includes a checked-in snapshot which will be used if the dynamic updater fails.
This library is licensed under the ISC license, a copy of which can be found at LICENSE.txt. "Cloudflare" is a registered trademark of Cloudflare, Inc and is used as per the Cloudflare Trademark Guidelines
Add this library to your Gemfile (or otherwise include it with your application), and add it as a middleware in your config.ru; for example, if you're using Sinatra, this might look like:
require "rack/cloudflare_middleware"
require "sinatra"
require "./app"
use Rack::CloudflareMiddleware::DenyOthers, allow_private: true
use Rack::CloudflareMiddleware::RewriteRemoteAddr
run Sinatra::Application
The allow_private kwarg to DenyOthers controls whether or not private and loopback addresses are allowed through. Whether or not you should set this depends on the exact specifics of your deployment environment; often it should be set in development, but not in production.
DenyOthers also takes an on_fail_proc kwarg which receives the request environment and should return an appropriate error response (as a standard Rack tuple of (status, headers, body)). Example usage:
require "rack/cloudflare_middleware"
use Rack::CloudflareMiddleware::DenyOthers, on_fail_proc: ->(env) do
MyLogger.warn "Bad request from #{env["REMOTE_ADDR"]}"
[403, {"Content-Type" => "text/plain"}, ["you did a bad thing"]]
end
DenyOthers also takes a trusted_request_proc which receives a Rack::Request object and should return a boolean of whether or not the request is to be allowed through regardless of Source IP. This is primarily intended for healthchecks. Example usage:
require "rack/cloudflare_middleware"
use Rack::CloudflareMiddleware::DenyOthers, trusted_request_proc: ->(request) do
request.path.start_with? "/health/check"
end
Both middlewares also include a convenience called trust_xff_if_private mode; this will change them to use the right-most contents of X-Forwarded-For as REMOTE_ADDR if and only if the actual REMOTE_ADDR is a private address. This is a moderately-unsafe option, but may be required if your application provider has made poor choices in routing technologies (and, for example, is required on Heroku). If you're in this state, you should tell your provider to use the PROXY protocol internally instead of X-Forwarded-For. There have been many security issues related to Heroku's poor parsing of X-Forwarded-For in their router/load-balancer layer, and may be more in the future.
FAQs
Unknown package
We found that rack-cloudflare_middleware demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Socket researchers discovered nine malicious NuGet packages that use time-delayed payloads to crash applications and corrupt industrial control systems.
Security News
Socket CTO Ahmad Nassri discusses why supply chain attacks now target developer machines and what AI means for the future of enterprise security.
Security News
Learn the essential steps every developer should take to stay secure on npm and reduce exposure to supply chain attacks.