Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow config.hosts proc to receive request object #40328

Closed
wants to merge 1 commit into from
Closed

Allow config.hosts proc to receive request object #40328

wants to merge 1 commit into from
+25 −4

Conversation

ajw725
Copy link

@ajw725 ajw725 commented Oct 4, 2020
edited

Didn't get much feedback from the core mailing list, but what I did get was encouraging.

Summary

I wanted a way to skip the host authorization check - which I want to use in production as protection against host header poisoning - for a specific endpoint. With my application set up behind a load balancer on AWS, the host that the application sees on the health check is the IP address of the load balancer, which can change and therefore can't be hard-coded into my application. There is nothing sensitive at the health check endpoint, and I'd like to just skip the check there.

In a Rails 5 app, I just implemented the host filtering stuff in my own custom middleware. I guess I could keep doing that on Rails 6, but since Rails now has its own middleware for this, it seems like all of that functionality should be kept in one place if possible.

ActionDispatch::HostAuthorization accepts a list of allowed values via config.hosts. An item in this list can be anything that responds to ===, which includes a Proc. Passing the entire request object - in addition to the host value - to such a Proc allows for customization like skipping the host authorization check on a particular endpoint, e.g. a health check.

Usage

Rails.application.configure do
  config.hosts += [
    'myapp.com',
    proc { |_host, req| req.path == '/healthcheck' }
  ]
end

Or just

Rails.application.configure do
  config.hosts << proc { |host, req| host == 'myapp.com' || req.path  == '/healthcheck' }
end

Questions and concerns

  • Is passing the request object back into the Proc on every request too unwieldy?
  • Would it be clearer to do allowed.call instead of trying to keep using === for everything?

@rails-bot rails-bot bot added the actionpack label Oct 4, 2020
Allow config.hosts proc to receive request object
0c2c04b 
ActionDispatch::HostAuthorization accepts a list of allowed values via
config.hosts. An item in this list can be anything that responds to
===, which includes a Proc. Passing the entire request object - in
addition to the host value - to such a Proc allows for customization
like skipping the host authorization check on a particular endpoint,
e.g. a health check.
@eugeneius
Copy link
Member

This problem was solved in #38829 by adding a separate exclude option, which is actually closer to your original proposal on the mailing list. I preferred that approach since allowing entries in config.hosts to classify requests by something other than their host felt wrong. Thanks for working on this, and sorry we couldn't go with your implementation.

@eugeneius eugeneius closed this Nov 5, 2020
@ajw725
Copy link
Author

ajw725 commented Nov 8, 2020

Thanks for the update, @eugeneius . Sounds good - glad it's getting implemented in some form!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
actionpack
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ajw725 @eugeneius