adding a blocklist break-glass header for Rack::Attack

When blocklisting broad IP ranges using the Rails Rack::Attack gem, it can be valuable to have a break-glass HTTP header so that legitimate users in a blocked range can still access the webapp.

The Rack::Attack docs provide most of the information on how to do this, however the syntax in the current example does not match the format of a header injected into the browser using an extension such as SimpleModifyHeaders.

As it turns out, any such headers are uppercased and prefixed with HTTP_. So if in your browser extension you set your header as SuperSecretKey, Rack::Attack would pass it through as HTTP_SUPERSECRETKEY.

The below code snippet illustrates, and also dumps out all headers to the console as a comma delimited list.

class Rack::Attack

  p "~~~~~~~~ RAAAACK ATTAAAAAAAACK ~~~~~~~~"

  # whitelist by HTTP header
  Rack::Attack.safelist("mark any authenticated user as safe") do |request|

    p "~~ HEADER CHECK ~~"

    p request.env.sort.compact.reject(&:empty?).join(',')

    puts request.env.key?("HTTP_SUPERSECRETKEY")
    puts request.env["HTTP_SUPERSECRETKEY"]
    request.env["HTTP_SUPERSECRETKEY"] == "Hunter2"
  end

end

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s