0

I have a Rails 3.2.2 application which is a simple company intranet, however although there isn't any private information on there it's probably best if it was fairly secure from the outside world.

We do however have people working from home on fairly regular occasions that don't have a VPN setup.

Currently I have a firewall rule that blocks everyone except a list of our teams/branches static IP addresses. The problem with this is when a team member visits the site from home the site never loads because the firewall rejects them. What I would like to do is serve a simple page within the application explaining why they don't have "full" access.

The firewall is serving multiple applications, so I can't put the access denied page on there

I have read a few questions on SO such as Get real IP address in local Rails development environment which show how to get their IP address, but I'm unsure how to alter a default route based on that.

Community
  • 1
  • 1
dannymcc
  • 3,744
  • 12
  • 52
  • 85
  • Look into routes constraints. And you have access to the request in the routes. – Robin Mar 29 '12 at 22:39
  • Forgive me if I'm missing something, but if your server is rejecting requests from all IPs not on the whitelist, how would such requests even reach the Rails app? – cantlin Mar 29 '12 at 22:39
  • @Dae I would allow all IP's through the firewall once this new route was enabled. – dannymcc Mar 29 '12 at 22:57
  • I see. In that case *"The firewall is serving multiple applications so I can't alter that in anyway specific to this application"* was a somewhat confusing thing to say :) – cantlin Mar 29 '12 at 23:28
  • Ah sorry, I meant "the firewall is serving multiple applications, so I can't put the access denied page on there" – dannymcc Mar 29 '12 at 23:41

2 Answers2

2

Dae raises a good point in the comments, but just so you know:

http://guides.rubyonrails.org/routing.html#advanced-constraints

class BlacklistConstraint
   def initialize
     @ips = Blacklist.retrieve_ips
   end

   def matches?(request)
    @ips.include?(request.remote_ip)
   end
end

YourApp::Application.routes.draw do
  match "*path" => "blacklist#index", :constraints => BlacklistConstraint.new
end
Robin
  • 21,667
  • 10
  • 62
  • 85
  • I would disable the firewall rule once this route was added. – dannymcc Mar 29 '12 at 22:59
  • Does this advanced constraint work the same way for whitelists? – dannymcc Mar 29 '12 at 23:00
  • You can do anything you want in the `matches?` method. You could do have `Whitelist.retrieve_ips` in the initializer, and then call `!@ips.include?(request.remote_ip)` in `matches?`. – Robin Mar 30 '12 at 00:03
0

To expand on Robin's Whitelist method, here is my solution using multiple partial whitelisted ip's

class WhitelistConstraint
   def initialize
     @ips =  ["127.0", "10.0.0.0/1"]

   end

   def matches?(request)
    !@ips.select{|req| request.remote_ip.include?(req) }.empty?
   end
end
cbron
  • 4,036
  • 3
  • 33
  • 40