[ruby on rails]rack-cors, rack-attack

gem 'rack-attack'
gem 'rack-cors'

1. rack-attack 可以根据ip、域名等设置黑名单、设置访问频率

• 设置黑名单

# 新增 config/initializers/rack_attack.rb
# 请求referer如果匹配不上设置的allowed_origins，返回403 forbidden
Rack::Attack.blocklist('block bad domains') do |req|next if !req.path.start_with?('/admin_api/') || Rails.env.test?Rails.application.credentials.allowed_origins.none? { |r| Regexp.new(r) =~ req.referer }
end# EDITOR="vim" bin/rails credentials:edit
allowed_origins:- api.xxx.net- localhost

• 设置访问频率

class Rack::Attack# Rack::Attack.cache.store = ActiveSupport::Cache::RedisCacheStore.new(url: "...")Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new# key: "rack::attack:#{Time.now.to_i/:period}:public_data/ip:#{req.ip}"throttle('public_data/ip', limit: 2, period: 1.minutes) do |req|req.ip if req.path.start_with?('/pc/v1/public_data')endself.throttled_responder = lambda do |_env|[429, # status{}, # headers['throttling, retry later']] # bodyend
end

2. rack-cors 可以根据域名、访问方法、资源设置跨域请求cors

# config/initializers/cors.rbRails.application.config.middleware.insert_before 0, Rack::Cors doallow doorigins '*'resource '*', headers: :any, methods: [:get, :post, :put, :patch, :delete, :options, :head],end
end

• 复杂一些

Rails.application.config.middleware.insert_before 0, Rack::Cors doallow doorigins 'localhost:3000', '127.0.0.1:3000',/\Ahttp:\/\/192\.168\.0\.\d{1,3}(:\d+)?\z/# regular expressions can be used hereresource '/file/list_all/', :headers => 'x-domain-token'resource '/file/at/*',methods: [:get, :post, :delete, :put, :patch, :options, :head],headers: 'x-domain-token',expose: ['Some-Custom-Response-Header'],max_age: 600# headers to exposeendallow doorigins '*'resource '/public/*', headers: :any, methods: :get# Only allow a request for a specific hostresource '/api/v1/*',headers: :any,methods: :get,if: proc { |env| env['HTTP_HOST'] == 'api.example.com' }end
end