From c58ae7ecc98f50b6d22a92c7a6aebffb759974e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A8r=20Kessels?= Date: Tue, 6 Oct 2015 14:06:20 +0200 Subject: [PATCH 1/3] Add ability to allow access to a whitelist of IP-addresses only. --- vendor/cookbooks/rails/libraries/default.rb | 11 +++++++++++ vendor/cookbooks/rails/recipes/default.rb | 3 ++- vendor/cookbooks/rails/recipes/passenger.rb | 3 ++- .../rails/templates/default/app_nginx.conf.erb | 2 ++ .../templates/default/app_passenger_nginx.conf.erb | 4 ++-- .../rails/templates/default/nginx/access.erb | 9 +++++++++ 6 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 vendor/cookbooks/rails/templates/default/nginx/access.erb diff --git a/vendor/cookbooks/rails/libraries/default.rb b/vendor/cookbooks/rails/libraries/default.rb index f60d2bfa..bca0e17e 100644 --- a/vendor/cookbooks/rails/libraries/default.rb +++ b/vendor/cookbooks/rails/libraries/default.rb @@ -16,5 +16,16 @@ def nginx_custom_configuration(app_info) empty_conf.merge(app_info["nginx_custom"] || {}) end + + ## + # Create a rendered set of access and deny rules for nginx conf. + # Ensures we always have a string to render. + def nginx_access(app_info) + # Ensure we always have a hash, and dup to make it writable + access = app_info.fetch("access", {}).dup + access["allowed"] ||= [] + access["denied"] ||= [] + access + end end end diff --git a/vendor/cookbooks/rails/recipes/default.rb b/vendor/cookbooks/rails/recipes/default.rb index 14bc812d..7d939063 100644 --- a/vendor/cookbooks/rails/recipes/default.rb +++ b/vendor/cookbooks/rails/recipes/default.rb @@ -119,7 +119,8 @@ redirect_domain_names: app_info["redirect_domain_names"], client_max_body_size: app_info["client_max_body_size"], enable_ssl: File.exists?("#{applications_root}/#{app}/shared/config/certificate.crt"), - custom_configuration: nginx_custom_configuration(app_info)) + custom_configuration: nginx_custom_configuration(app_info), + access: nginx_access(app_info)) notifies :reload, resources(service: "nginx") end diff --git a/vendor/cookbooks/rails/recipes/passenger.rb b/vendor/cookbooks/rails/recipes/passenger.rb index de102867..57d99bcb 100644 --- a/vendor/cookbooks/rails/recipes/passenger.rb +++ b/vendor/cookbooks/rails/recipes/passenger.rb @@ -142,7 +142,8 @@ redirect_domain_names: app_info["redirect_domain_names"], client_max_body_size: app_info["client_max_body_size"], enable_ssl: enable_ssl, - custom_configuration: nginx_custom_configuration(app_info)) + custom_configuration: nginx_custom_configuration(app_info), + access: nginx_access(app_info)) notifies :reload, resources(:service => "nginx") end diff --git a/vendor/cookbooks/rails/templates/default/app_nginx.conf.erb b/vendor/cookbooks/rails/templates/default/app_nginx.conf.erb index de13df6a..eb78b70c 100644 --- a/vendor/cookbooks/rails/templates/default/app_nginx.conf.erb +++ b/vendor/cookbooks/rails/templates/default/app_nginx.conf.erb @@ -26,6 +26,7 @@ server { proxy_pass http://<%= @name %>; <%= @custom_configuration["server_app"] %> } + <%= render 'nginx/access.erb', variables: { access: @access } %> <%= @custom_configuration["server_main"] %> } @@ -54,6 +55,7 @@ server { proxy_pass http://<%= @name %>; <%= @custom_configuration["ssl_app"] %> } + <%= render 'nginx/access.erb', variables: { access: @access } %> <%= @custom_configuration["ssl_main"] %> } diff --git a/vendor/cookbooks/rails/templates/default/app_passenger_nginx.conf.erb b/vendor/cookbooks/rails/templates/default/app_passenger_nginx.conf.erb index 63e70ac0..afd6e11d 100644 --- a/vendor/cookbooks/rails/templates/default/app_passenger_nginx.conf.erb +++ b/vendor/cookbooks/rails/templates/default/app_passenger_nginx.conf.erb @@ -32,7 +32,7 @@ server { passenger_app_env <%= @rails_env %>; <%= "client_max_body_size #{@client_max_body_size};" if @client_max_body_size.to_i != 0 %> - + <%= render 'nginx/access.erb', variables: { access: @access } %> <%= @custom_configuration["server_main"] %> } @@ -54,8 +54,8 @@ server { <%= "client_max_body_size #{@client_max_body_size};" if @client_max_body_size.to_i != 0 %> server_name <%= @domain_names.join(' ') %>; - root <%= node['rails']['applications_root'] %>/<%= @name %>/current/public; + <%= render 'nginx/access.erb', variables: { access: @access } %> <%= @custom_configuration["ssl_main"] %> } diff --git a/vendor/cookbooks/rails/templates/default/nginx/access.erb b/vendor/cookbooks/rails/templates/default/nginx/access.erb new file mode 100644 index 00000000..afcb7b8e --- /dev/null +++ b/vendor/cookbooks/rails/templates/default/nginx/access.erb @@ -0,0 +1,9 @@ +<% @access["denied"].each do |denied_address| %> + deny <%= denied_address %>; +<% end %> +<% @access["allowed"].each do |allowed_address| %> + allow <%= allowed_address %>; +<% end %> +<% if @access["allowed"].any? %> + deny all; +<% end %> From b6776e144fd73cbc6cb2e0628f08cc2e8aa5d4d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A8r=20Kessels?= Date: Tue, 6 Oct 2015 14:06:52 +0200 Subject: [PATCH 2/3] Add entry for whitelisting to CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2b25393e..cf6ec723 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ This project makes use of the [Sementic Versioning](http://semver.org/) ### Added - Set the max db `pool` size via an ENV var called `DB_POOL_SIZE` +- Ability to define per-app IP-address white and blacklists that may access the app. ## 2.5.0 - 2015-04-30 From 13f348db57e688765fc61cb7189c0dc2ef8481f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A8r=20Kessels?= Date: Wed, 7 Oct 2015 15:07:54 +0200 Subject: [PATCH 3/3] Bump version of rails cookbook. --- vendor/cookbooks/rails/metadata.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/cookbooks/rails/metadata.rb b/vendor/cookbooks/rails/metadata.rb index 09156ef5..12b1ee2a 100644 --- a/vendor/cookbooks/rails/metadata.rb +++ b/vendor/cookbooks/rails/metadata.rb @@ -4,7 +4,7 @@ license "MIT" description "Installs/Configures rails" long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version "0.3.1" +version "0.4.1" depends "rbenv", "~> 1.7.1" depends "sudo", "> 1.2.0" depends "database"