Upgraded Rails to 6, getting Blocked host Error

Question

I needed the new function in ActiveStorage to resize_to_fill so I upgraded to Ruby 2.5.1 and Rails 6.

ruby '2.5.1'

gem "rails", github: "rails/rails"

When I stopped, then restarted my server (Cloud 9), I received the below Rails error:

Blocked host: xxxxxxx-xxxxxxx.c9users.io
To allow requests to xxxxxxx-xxxxxxx.c9users.io, add the following configuration:

Rails.application.config.hosts << "xxxxxxx-xxxxxxx.c9users.io"

I've tried restarting, new windows, but nothing worked. I've never seen this error before. I'm guessing the new version of Rails is doing something?

I created a new app to test if it was my original app or every app. It was already running ruby 2.5.1. I changed the Gemfile to use edge Rails (6), `gem 'rails', github: 'rails/rails'` as I did before. I started the server and it did the same thing, gave the same error. — Tony S., Dec 21 '18 at 02:42
I added `Rails.application.config.hosts << "xxxxxxx-xxxxxxx.c9users.io"` to `config/application.rb` and it fixed my test app fine. Then I did it to my real app and it also worked. The problem is, Devise threw an error as well, which apparently won't be fixed until at least Rails 6 beta. I guess I'm going back to Carrierwave for my image sizing needs until ActiveStorage is more mature. — Tony S., Dec 21 '18 at 02:55

Dat Le Tien · Answer 1 · 2022-09-08T10:35:20.247

132

The Blocked Host is a new feature of Rails 6. You can add this pattern to your config/environments/development.rb to have no worries of that in case of dynamic urls

config.hosts << /[a-z0-9]+\.c9users\.io/

Also for ngrok user, just replace above c9users by ngrok

Update: ngrok is currently using - and . as subdomain in their URLs so this should be accurate config.hosts << /[a-z0-9-.]+\.ngrok\.io/

Source: https://github.com/MikeRogers0/puma-ngrok-tunnel

edited Sep 08 '22 at 10:35

answered Jul 17 '19 at 06:29

Dat Le Tien

1,880
1
9
12

2

Best answer imo, since it shows usage of regex. Noteworthy: I had to **restart my rails server** in order for the change to take effect. Ymmv. – panepeter Nov 10 '20 at 13:48
Honestly, this is the best solution for NGROK users, because it allows you to get rid of those stupid gems that make you do this anyway. +10000 – oriont Nov 23 '20 at 21:13
3

Great answer, however be aware that ngrok can use dashes (-) in their URLs so the best regex for ngrok will be `config. hosts << /[a-z0-9-]+\.ngrok\.io/` – johnpitchko Nov 05 '21 at 12:26
Just do `config.hosts << '.c9users.io'`, this takes care of any subdomain and is simpler. See my answer for details. – Jerome Dalbert Dec 07 '21 at 03:10
1

Note that ngrok can use multiple level subdomain like 123.eu.ngrok.io so adding a dot would cover that case as well: `config.hosts << /[a-z0-9-.]+\.ngrok\.io/` – duleorlovic Sep 06 '22 at 12:32
The last dash in `[a-z0-9-.]` looks like a special character, might be better to escape it: `[a-z0-9\-.]` – Rich Steinmetz Oct 14 '22 at 12:35
3

`config.hosts << /[a-z0-9\-]+\.ngrok-free\.app/` is required for free accounts – knagode Apr 08 '23 at 16:22

score 78 · Answer 2 · edited Apr 03 '21 at 17:23

78

If you want to disable this functionality on your development environment, you can add config.hosts.clear to config/environments/development.rb.

edited Apr 03 '21 at 17:23

bjnord

2,734
2
23
24

answered May 21 '19 at 12:35

kobaltz

6,980
1
35
52

5

This didn't work for me, but `config.hosts.clear` did. – manuelmhtr Jul 22 '20 at 14:51
You're correct; I edited the answer to change it. – bjnord Apr 03 '21 at 17:24
This is the best option IMHO for development env. For production environments it's better to set the restriction correctly. – funder7 Aug 16 '21 at 15:55
3

Don't do this. Disabling this functionality leaves your localhost vulnerable to DNS rebinding attacks, resulting in attackers potentially getting full access to your local Rails app. See my answer for details. – Jerome Dalbert Dec 07 '21 at 03:11

stevec · Answer 3 · 2023-07-28T11:38:53.660

37

Add these lines to config/environments/development.rb

  config.hosts << /.*\.ngrok\.io/
  config.hosts << /.*\.ngrok-free\.app/

Restart your rails server and it will work

Note: As of 2023, ngrok now requires an auth token. If you haven't set it up, go here, log in, and copy the line it gives you to your terminal:

ngrok config add-authtoken <your token>

You should be up and going in a couple of minutes. If you get stuck, there's a nice explainer here

edited Jul 28 '23 at 11:38

answered Dec 06 '20 at 10:29

stevec

41,291
27
223
311

You regex doesn't always work depending on the server you get. I get a xxxx.eu.ngrok.io domain name. (.eu is added before the ngrok.io domainname) – gamecreature Jul 04 '22 at 07:42
1

@gamecreature thanks for letting me know. I updated the answer to generalise the regex. I think it's simpler now, and less fragile. – stevec Jul 04 '22 at 16:33

score 16 · Answer 4 · edited Dec 17 '19 at 16:55

This article worked for me:

The first option is to whitelist the hostnames in config/environments/development.rb:

Rails.application.configure do
  config.hosts << "hostname" # Whitelist one hostname
  config.hosts << /application\.local\Z/ # Whitelist a test domain
end

The second option is to clear the entire whitelist, which lets through requests for all hostnames:
```
Rails.application.configure do
  config.hosts.clear
end
```

Credit goes to Manfred Stienstra.

Jerome Dalbert · Answer 5 · 2021-12-30T13:41:40.803

15

To allow requests from any subdomain of ngrok.io (or other service), the simplest solution is to prepend it with . like so:

# config/environments/development.rb

Rails.application.configure do

  ...

  config.hosts << '.ngrok.io'
end

No need to use a regexp for subdomains like mentioned in some other answers.

PS: don't disable this functionality by doing config.hosts.clear as mentioned in some other answers, as this defeats the purpose of Rails' DNS rebinding protection, and under the right circumstances an outside attacker could gain full access to your local Rails app information (source).

edited Dec 30 '21 at 13:41

answered Dec 07 '21 at 03:05

Jerome Dalbert

10,067
6
56
64

1

I sure hope people aren't running Production code under an `development` environment. – Pants Jul 01 '22 at 15:05

score 5 · Answer 6 · answered May 16 '19 at 07:28

In Rails 6 Action Pack introduced ActionDispatch::HostAuthorization and by default allows only [IPAddr.new(“0.0.0.0/0”), IPAddr.new(“::/0”), “localhost”]

You can add arrays of RegExp, Proc, IPAddr and String or a single String in the file config/application.rb like this

class Application < Rails::Application
  config.hosts << "xxxxxxx-xxxxxxx.c9users.io"
  ...
end

From "https://drivy.engineering/rails-6-unnoticed-features":

Rails 6 added a new middleware called ActionDispatch::HostAuthorization allowing you to whitelist some hosts for your application and preventing Host header attacks. You can easily configure it with a String, IPAddr, Proc and RegExp (useful when dealing with wildcard domains).

A little late in seeing this one but thanks for the info. I'll have to check this out. — Tony S., Apr 15 '20 at 18:25
Rails.application.config.hosts << ".product.com" allows all sub domains for product.com - at least in Rails 6 — EastSw, Oct 17 '20 at 18:59

score 5 · Accepted Answer · edited Jun 24 '21 at 12:52

5

I added Rails.application.config.hosts << "xxxxxxx-xxxxxxx.c9users.io" to config/application.rb and it fixed my test app fine. Then I did it to my real app and it also worked. The problem is, Devise threw an error as well, which apparently won't be fixed until at least Rails 6 beta. I guess I'm going back to Carrierwave for my image sizing needs until ActiveStorage is more mature.

edited Jun 24 '21 at 12:52

E_net4

27,810
13
101
139

answered Apr 14 '20 at 22:26

Tony S.

1,161
1
9
13

score 4 · Answer 8 · answered Oct 05 '21 at 04:22

4

In Rails 6, when you want to allow host from ngrok v2.3.40, add this config into config/environments/development.rb

config.hosts << /[a-z0-9\-]+\.ap\.ngrok\.io/

Restart server and enjoy

answered Oct 05 '21 at 04:22

Tâm Lê

41
1

score 4 · Answer 9 · answered Dec 22 '21 at 14:54

4

Add this line to config/environments/development.rb

config.hosts << /.+\.ngrok\.io:\d+/

Most of the responses I see are missing the port part of the URL. If you are accessing this URL in a specific port (typically :3000) the :\d+ part of the regular expression is necessary.

It will work after restarting your server.

answered Dec 22 '21 at 14:54

Fran Martinez

2,994
2
26
38

1

I have been using Rails 6 since it was released and never had to add localhost to config allowed hosts, until 2022. I guess maybe a small point release added the requirement to add the port, so I appreciate this response mentioning it. Thanks! – Sammy Larbi Jan 05 '22 at 15:55
yes, that's weird. I don't have to add it for localhost, because it's added by default. You shouldn't need to add it unless you are removing the defaults somewhere. – Fran Martinez Jan 10 '22 at 11:25
1

Can't emphasize this enough! I get many many questions from people who have just followed the literal instructions in the "helpful" Rails error page to add a hostname to config.hosts, but it's also important to include the port number or at least a regex that matches a port number! – cvkline Mar 08 '22 at 05:11

score 4 · Answer 10 · edited Mar 21 '22 at 11:36

4

config.hosts = nil

Use this in development.rb and and restart your rails server, it works for me, it will work.

edited Mar 21 '22 at 11:36

Karim Tarek

797
4
18

answered Mar 15 '22 at 08:58

Faizan Ahmed

41
1

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 16 '22 at 06:40

score 2 · Answer 11 · answered Dec 17 '21 at 09:47

2

In order to support hyphens in the ngrok subdomain name and region, you need to change config/environments/development.rb change config.hosts to /[a-z0-9.-]+.ngrok.io/

Example:

  config.hosts = (config.hosts rescue []) << /[a-z0-9.-]+.ngrok.io/

answered Dec 17 '21 at 09:47

itsazzad

6,868
7
69
89

score 1 · Answer 12 · answered Jun 11 '21 at 15:01

HEADS UP : You may whitelist your host with the config application.config.hosts << 'your_unvalid_host_name' but still have the error. The error message is currently not accurate in this case. See this issue. You should not use hostname with underscore. NB: The application.config.hosts.clear is working in this case.

score -1 · Answer 13 · answered Dec 15 '21 at 06:33

-1

1st run the ngrok 3000 in one of the terminals and next open the new terminal and run rails s... then u can see now ngrok and rails s both can run simultaneously...

answered Dec 15 '21 at 06:33

Adarsh Mannayyanavarmath

1

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – MD. RAKIB HASAN Dec 15 '21 at 07:02

Upgraded Rails to 6, getting Blocked host Error

13 Answers13

Linked