Comments (9)
@RyanNaughton @tawan instead of making a local check optional, which is a security hole, how about allowing a configuration variable be set that holds the allowed/trusted network. For example (not proposed code, just to give an example):
# Assuming the configuration pattern is implemented.
ActiveElasticJob.configure do |c|
c.allowed_network = "172.17.0.0/16"
end
def in_allowed_network?(ip)
IPAddr.new(ActiveElasticJob.config.allowed_network).include?(ip)
end
# In the wild.
unless request.local? || in_allowed_network?(request.ip)
m = "Accepts only requests from localhost for job processing".freeze
return ['403', {CONTENT_TYPE_HEADER_NAME => 'text/plain' }, [ m ]]
end
Sorry for the messy code, just letting the idea flow and typing on my phone.
from active-elastic-job.
@RyanNaughton Thanks for the submission. Sorry for my late reply, I was on the road the recent days.
I'm thinking of introducing an optional environment variable, that overrides the check for a local IP. In your case, would the remote_ip always resolve to 172.17.0.1
or does it change between deployments?
from active-elastic-job.
@RyanNaughton
from active-elastic-job.
@RyanNaughton @tawan I am under the impression we could handle this gracefully. There is no need to check for a custom ip address. The problem is actually forbiding a non-private ip address to deliver requests to the worker. It is just a matter of following RFC1918.
Follow this link: https://github.com/ipaddress-gem/ipaddress/blob/master/lib/ipaddress/ipv4.rb
Go to line 618, there you find an example implementation that would filter the correct ip addresses and avoid forcing the user to configure yet another thing.
from active-elastic-job.
@zaaroth
from active-elastic-job.
@zaaroth I did have a concern with this idea initially, since all EC2 instances have a private IP assigned. I was thinking that an unwanted message could get through from an unauthorized instance
Other than that, I do like this idea. It's more elegant and like you said no more steps needed to allow a local network -- it's taken care of.
@tawan what do you think? If you like it, I can amend PR #30.
from active-elastic-job.
from active-elastic-job.
@mdoza @zaaroth Thanks for your input and @mdoza thank you for your PR.
I took a step back and thought again about why this issue was actually created. The problem only exists if the application is deployed in a Docker environment. I think we got carried away a little be too much when we were thinking about allowing a user configured network. We actually only have to deal with the Docker case. The docs of Docker make it clear that if not configured otherwise, than the host will have the IP 172.17.0.1
. So if we check if the request comes from this particular IP and if the application runs inside a Docker container, then this should be sufficient. See my commit 68711d9.
What do you think?
from active-elastic-job.
@tawan sehr gut. Stays within the scope of fixing the original issue. Simple and elegant.
from active-elastic-job.
Related Issues (20)
- Request body should be rewound by consumer
- Requests from sqs deamon forbidden HOT 3
- Applying new patches HOT 1
- Job gets enqueued but code in perform function won't run HOT 10
- Very long delay when enqueuing new jobs (~38 seconds) HOT 2
- Rails6 ActiveJob::QueueAdapters::ActiveElasticJobAdapter::NonExistentQueue HOT 1
- Is this actively maintained? HOT 7
- ActionController::RoutingError (No route matches [POST] "/scheduled"): HOT 1
- Trigger Rails Job from Java Service
- update aws-sdk-sqs HOT 3
- Rails 6.1 - Running inside Docker
- Version bumps should automatically update integration testing Gemfile.lock files
- Add support for Rails 7 and Ruby 3 HOT 1
- Delete periodic task from cronjob.yaml HOT 1
- EB docker environment Nginx 502 gateway errors HOT 5
- Question regarding active_storage_analysis HOT 1
- /var/proxy/staging/nginx/conf.d/read_timeout.conf disappears HOT 4
- Configure queue url for multiple AWS accounts HOT 24
- SQS message timeout response
- Comparison to aws-sdk-sqs, and how to boot the worker? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from active-elastic-job.