Rack Attack with black-listed IP's still letting those IPs in on Heroku

[Trimakas]

I've blacklisted a specific IP, setup the rack-attack.rb file in my initializers, and updated my application.rb file. And I still am getting the following mess at around 30x a second.

This is what I see in my logs:

sql_error_code = 28000 time_ms = "2022-10-06 18:21:48.978 UTC" pid="1383002" proc_start_time="2022-10-06 18:21:48 UTC" session_id="633f1cbc.151a5a" vtid="33/5627855" tid="0" log_line="2" database="postgres" connection_source="193.138.218.250(36648)" user="postgres" application_name="[unknown]" FATAL:  no pg_hba.conf entry for host "193.138.218.250", user "postgres", database "postgres", SSL off

But my rack_attack.rb which is in config/initializers looks like this:

class Rack::Attack

  throttle('req/ip', limit: 300, period: 5.minutes) do |req|
    req.ip unless req.path.start_with?('/assets')
  end

  throttle('logins/ip', limit: 5, period: 20.seconds) do |req|
    if req.path == '/login' && req.post?
      req.ip
    end
  end

  throttle('logins/email', limit: 5, period: 20.seconds) do |req|
    if req.path == '/login' && req.post?
      req.params['email'].to_s.downcase.gsub(/\s+/, "").presence
    end
  end

  Rack::Attack.blocklist_ip("193.138.218.250")
  Rack::Attack.blocklist_ip("152.89.196.211")
end

And then I added this to my application.rb file

require_relative 'boot'

require 'rails/all'

Bundler.require(*Rails.groups)

module Shipping
  class Application < Rails::Application
    config.load_defaults 6.0
    config.hosts.clear
    config.action_cable.mount_path = '/api/cable'
    config.action_dispatch.cookies_same_site_protection = nil
    config.cache_store = :redis_cache_store, { url: ENV["REDIS_URL"] }
    config.middleware.use Rack::Attack
  end
end

And this is all running in production on Heroku, What do you all think?

[maniSHarma7575]

Same problem I am also getting? Which version of rails and redis version you are using ?

[maniSHarma7575]

@Trimakas did you able to figure out this?

[dentarg]

You can't really know the correct IP address of the client on Heroku, they do pass along it in the X-Forwarded-For header, but the list of IPs is easily manipulated by the client: https://stackoverflow.com/a/74540033/525616

[danielwestendorf]

I ran into this problem as well, and was able to sort it out. I could trigger a block in one browser, but then open up a different browser on the same machine only to find that I had access. It may be a similar problem for future lookers.

I blindly copied the puma.rb from this document thinking there wouldn't be any obvious downsides... I was wrong. https://devcenter.heroku.com/articles/deploying-rails-applications-with-the-puma-web-server

I highlighted the offending line. Rack Attack stops seeing your "real" IP and starts seeing the locally bound IPv6 address instead (i.e. ::ffff:10.1.88.244).

-- port(ENV['PORT'] || 3000, "::")
++ port(ENV['PORT'] || 3000)

Hopefully this helps someone!