mongrel unicorn - May 2012 - [Suggestion] Add upstream param to listen statement

Hi,

It would be nice to be able to reject all incoming requests to unicorn 
if they do not originate from our upstream http server.

An additional parameter to the listen statement is perhaps the best way 
to achieve this :

server.listen(addr, :tries => -1, :delay => 5, :backlog => 128, 
:upstream => ''10.0.0.1'')

This param could be a string or an array of IP addresses.

I read the documentation but did not find any way to achieve this.

Best regards,

-- 
Manuel Valente
prixing.fr

Manuel Valente <manuel.valente at gmail.com>
wrote:
> Hi,
> 
> It would be nice to be able to reject all incoming requests to
> unicorn if they do not originate from our upstream http server.
> 
> An additional parameter to the listen statement is perhaps the best
> way to achieve this :
> 
> server.listen(addr, :tries => -1, :delay => 5, :backlog => 128,
> :upstream => ''10.0.0.1'')
> 
> This param could be a string or an array of IP addresses.
iptables (or whatever firewall module that comes with your OS)
is far more efficient than anything in userspace for rejecting
IPs entirely.

You can also do this in middleware by checking env["REMOTE_ADDR"].
I''ll sometimes do something like this to reject certain HTTP
methods (/POST/PUT/DELETE), but let GET/HEAD requests through:

# totally untested code for Rack middleware:
class Rejector
  def new(app, bad_ips)
    @bad_ips = bad_ips
    @app = app
  end

  def call(env)
    case env["REQUEST_METHOD"]
    when "POST", "DELETE", "PUT"
      return [ 403, {}, [] ] if @bad_ips.include?(env["REMOTE_ADDR"])
    end
    @app.call(env)
  end
end

---------- config.ru --------------
require ''set''
require ''rejector''
use Rejector, Set.new("10.0.0.1")
run YourApp.new


Instead of Set, you can also check out rpatricia for netmasks:
http://www.goto.info.waseda.ac.jp/~tatsuya/rpatricia/