[Suggestion] Add upstream param to listen statement

Eric Wong normalperson at yhbt.net
Wed May 23 18:50:22 UTC 2012


Manuel Valente <manuel.valente at gmail.com> wrote:
> Hi,
> 
> It would be nice to be able to reject all incoming requests to
> unicorn if they do not originate from our upstream http server.
> 
> An additional parameter to the listen statement is perhaps the best
> way to achieve this :
> 
> server.listen(addr, :tries => -1, :delay => 5, :backlog => 128,
> :upstream => '10.0.0.1')
> 
> This param could be a string or an array of IP addresses.

iptables (or whatever firewall module that comes with your OS)
is far more efficient than anything in userspace for rejecting
IPs entirely.

You can also do this in middleware by checking env["REMOTE_ADDR"].
I'll sometimes do something like this to reject certain HTTP
methods (/POST/PUT/DELETE), but let GET/HEAD requests through:

# totally untested code for Rack middleware:
class Rejector
  def new(app, bad_ips)
    @bad_ips = bad_ips
    @app = app
  end

  def call(env)
    case env["REQUEST_METHOD"]
    when "POST", "DELETE", "PUT"
      return [ 403, {}, [] ] if @bad_ips.include?(env["REMOTE_ADDR"])
    end
    @app.call(env)
  end
end

---------- config.ru --------------
require 'set'
require 'rejector'
use Rejector, Set.new("10.0.0.1")
run YourApp.new


Instead of Set, you can also check out rpatricia for netmasks:
http://www.goto.info.waseda.ac.jp/~tatsuya/rpatricia/


More information about the mongrel-unicorn mailing list