From fe2e09eee0d44b0b4b0c4800bf7a6b10a487fd88 Mon Sep 17 00:00:00 2001 From: Joel Van Horn Date: Fri, 14 Sep 2018 19:18:38 -0400 Subject: [PATCH] Updated formatting --- README.md | 106 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 62 insertions(+), 44 deletions(-) diff --git a/README.md b/README.md index dbbc9ad..95968a1 100644 --- a/README.md +++ b/README.md @@ -24,27 +24,31 @@ Or install it yourself as: You can block access to non-Cloudflare networks using `Rack::Cloudflare::Middleware::AccessControl`. - require 'rack/cloudflare' +```ruby +require 'rack/cloudflare' - # In config.ru - use Rack::Cloudflare::Middleware::AccessControl +# In config.ru +use Rack::Cloudflare::Middleware::AccessControl - # In Rails config/application.rb - config.middleware.use Rack::Cloudflare::Middleware::AccessControl +# In Rails config/application.rb +config.middleware.use Rack::Cloudflare::Middleware::AccessControl - # Configure custom blocked message (defaults to "Forbidden") - Rack::Cloudflare::Middleware::AccessControl.blocked_message = "You don't belong here..." +# Configure custom blocked message (defaults to "Forbidden") +Rack::Cloudflare::Middleware::AccessControl.blocked_message = "You don't belong here..." - # Fully customize the Rack response (such as making it a redirect) - Rack::Cloudflare::Middleware::AccessControl.blocked_response = lambda do |_env| - [301, { 'Location' => 'https://somewhere.else.xyz' }, ["Redirecting...\n"]] - end +# Fully customize the Rack response (such as making it a redirect) +Rack::Cloudflare::Middleware::AccessControl.blocked_response = lambda do |_env| + [301, { 'Location' => 'https://somewhere.else.xyz' }, ["Redirecting...\n"]] +end +``` Alternatively, using [`Rack::Attack`](https://github.com/kickstarter/rack-attack) you can easily add a "safelist" rule. - Rack::Attack.safelist('Only allow requests through the Cloudflare network') do |request| - Rack::Cloudflare::Headers.trusted?(request.env) - end +```ruby +Rack::Attack.safelist('Only allow requests through the Cloudflare network') do |request| + Rack::Cloudflare::Headers.trusted?(request.env) +end +``` Utilizing the `trusted?` helper method, you can implement a similar check using other middleware. @@ -54,22 +58,26 @@ See _Toolkits: Detect Cloudflare Requests_ for alternative uses. You can set `REMOTE_ADDR` to the correct remote IP using `Rack::Cloudflare::Middleware::RewriteHeaders`. - require 'rack/cloudflare' +```ruby +require 'rack/cloudflare' - # In config.ru - use Rack::Cloudflare::Middleware::RewriteHeaders +# In config.ru +use Rack::Cloudflare::Middleware::RewriteHeaders - # In Rails config/application.rb - config.middleware.use Rack::Cloudflare::Middleware::RewriteHeaders +# In Rails config/application.rb +config.middleware.use Rack::Cloudflare::Middleware::RewriteHeaders +``` You can customize whether rewritten headers should be backed up and what names to use. - # Toggle header backups - Rack::Cloudflare::Headers.backup = false +```ruby +# Toggle header backups +Rack::Cloudflare::Headers.backup = false - # Rename backed up headers (defaults: "ORIGINAL_REMOTE_ADDR", "ORIGINAL_FORWARDED_FOR") - Rack::Cloudflare::Headers.original_remote_addr = 'BACKUP_REMOTE_ADDR' - Rack::Cloudflare::Headers.original_forwarded_for = 'BACKUP_FORWARDED_FOR' +# Rename backed up headers (defaults: "ORIGINAL_REMOTE_ADDR", "ORIGINAL_FORWARDED_FOR") +Rack::Cloudflare::Headers.original_remote_addr = 'BACKUP_REMOTE_ADDR' +Rack::Cloudflare::Headers.original_forwarded_for = 'BACKUP_FORWARDED_FOR' +``` See _Toolkits: Rewrite Headers_ for alternative uses. @@ -77,7 +85,9 @@ See _Toolkits: Rewrite Headers_ for alternative uses. You can enable logging to see what requests are blocked or headers are rewritten. - Rack::Cloudflare.logger = Logger.new(STDOUT) +```ruby +Rack::Cloudflare.logger = Logger.new(STDOUT) +``` Log levels used are INFO, DEBUG and WARN. @@ -87,10 +97,12 @@ Log levels used are INFO, DEBUG and WARN. You can very easily check your HTTP headers to see if the request came from a Cloudflare network. - # Your headers are in a `Hash` format - # e.g. { 'REMOTE_ADDR' => '0.0.0.0', ... } - # Verifies the remote address - Rack::Cloudflare::Headers.trusted?(headers) +```ruby +# Your headers are in a `Hash` format +# e.g. { 'REMOTE_ADDR' => '0.0.0.0', ... } +# Verifies the remote address +Rack::Cloudflare::Headers.trusted?(headers) +``` Note that we can only trust the `REMOTE_ADDR` header to verify a request came from Cloudflare. The `HTTP_X_FORWARDED_FOR` header can be modified and therefore not trusted. @@ -102,17 +114,19 @@ Read this article, for example: [Anatomy of an Attack: How I Hacked StackOverflo We can easily rewrite `REMOTE_ADDR` and add `HTTP_X_FORWARDED_FOR` based on verifying the request comes from a Cloudflare network. - # Get a list of headers relevant to Cloudflare (unmodified) - headers = Rack::Cloudflare::Headers.new(headers).target_headers +```ruby +# Get a list of headers relevant to Cloudflare (unmodified) +headers = Rack::Cloudflare::Headers.new(headers).target_headers - # Get a list of headers that will be rewritten (modified) - headers = Rack::Cloudflare::Headers.new(headers).rewritten_headers +# Get a list of headers that will be rewritten (modified) +headers = Rack::Cloudflare::Headers.new(headers).rewritten_headers - # Get a list of headers relevant to Cloudflare with rewritten values - headers = Rack::Cloudflare::Headers.new(headers).rewritten_target_headers +# Get a list of headers relevant to Cloudflare with rewritten values +headers = Rack::Cloudflare::Headers.new(headers).rewritten_target_headers - # Update original headers with rewritten ones - headers = Rack::Cloudflare::Headers.new(headers).rewrite +# Update original headers with rewritten ones +headers = Rack::Cloudflare::Headers.new(headers).rewrite +``` ### Up-to-date Cloudflare IP addresses @@ -120,17 +134,21 @@ Cloudflare provides a [list of IP addresses](https://www.cloudflare.com/ips/) th A copy of the IPs are kept in [/data](./data/). The list is converted to a `IPAddr` list and is accessible as: - # Configurable list of IPs - # Defaults to Rack::Cloudflare::IPs::DEFAULTS - Rack::Cloudflare::IPs.list +```ruby +# Configurable list of IPs +# Defaults to Rack::Cloudflare::IPs::DEFAULTS +Rack::Cloudflare::IPs.list +``` The list can be updated to Cloudflare's latest published IP lists in-memory: - # Fetches Rack::Cloudflare::IPs::V4_URL and Rack::Cloudflare::IPs::V6_URL - Rack::Cloudflare::IPs.refresh! +```ruby +# Fetches Rack::Cloudflare::IPs::V4_URL and Rack::Cloudflare::IPs::V6_URL +Rack::Cloudflare::IPs.refresh! - # Updates cached list in-memory - Rack::Cloudflare::IPs.list +# Updates cached list in-memory +Rack::Cloudflare::IPs.list +``` ## Credits