Revision 04148e79
Added by Riley Shott about 10 years ago
| lib/smart_proxy.rb | ||
|---|---|---|
|
require "dhcp_api" if SETTINGS.dhcp
|
||
|
require "bmc_api" if SETTINGS.bmc
|
||
|
require "chefproxy_api" if SETTINGS.chefproxy
|
||
|
require "resolv" if SETTINGS.trusted_hosts
|
||
|
|
||
|
begin
|
||
|
require "facter"
|
||
| ... | ... | |
|
|
||
|
before do
|
||
|
# If we are using certificates and we reach here then the peer is verified and cannot be spoofed. ALWAYS use certificates OR ELSE!!!
|
||
|
# If we are not using certificates then the hostname can be spoofed but this will still keep out most casual mischief.
|
||
|
if (SETTINGS.trusted_hosts and !SETTINGS.trusted_hosts.empty?) and
|
||
|
!SETTINGS.trusted_hosts.include?(request.env["REMOTE_HOST"].downcase)
|
||
|
log_halt 403, "Untrusted client #{request.env["REMOTE_HOST"].downcase} attempted to access #{request.path_info}. Check :trusted_hosts: in settings.yml"
|
||
|
# If we are not using certificates, and we've specified :trusted_hosts:, we'll check the reverse DNS entry of the remote IP, and ensure it's in our :trusted_hosts: array.
|
||
|
if (SETTINGS.trusted_hosts and !SETTINGS.trusted_hosts.empty?)
|
||
|
begin
|
||
|
remote_fqdn = Resolv.new.getname(request.env["REMOTE_ADDR"])
|
||
|
rescue Resolv::ResolvError => e
|
||
|
log_halt 403, "Unable to resolve hostname for connecting client - #{request.env["REMOTE_ADDR"]}. If it's to be a trusted host, ensure it has a reverse DNS entry." +
|
||
|
"\n\n" + "#{e.message}"
|
||
|
end
|
||
|
if !SETTINGS.trusted_hosts.include?(remote_fqdn.downcase)
|
||
|
log_halt 403, "Untrusted client #{remote_fqdn.downcase} attempted to access #{request.path_info}. Check :trusted_hosts: in settings.yml"
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
end
|
||
Also available in: Unified diff
Fixes #2259 - trusted hosts work with passenger