[ruby on rails]rack-cors, rack-attack

ruby 复制代码
gem 'rack-attack'
gem 'rack-cors'

1. rack-attack 可以根据ip、域名等设置黑名单、设置访问频率

  • 设置黑名单
ruby 复制代码
# 新增 config/initializers/rack_attack.rb
# 请求referer如果匹配不上设置的allowed_origins,返回403 forbidden
Rack::Attack.blocklist('block bad domains') do |req|
  next if !req.path.start_with?('/admin_api/') || Rails.env.test?

  Rails.application.credentials.allowed_origins.none? { |r| Regexp.new(r) =~ req.referer }
end

# EDITOR="vim" bin/rails credentials:edit
allowed_origins:
  - api.xxx.net
  - localhost
  • 设置访问频率
ruby 复制代码
class Rack::Attack
  # Rack::Attack.cache.store = ActiveSupport::Cache::RedisCacheStore.new(url: "...")
  Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
  # key: "rack::attack:#{Time.now.to_i/:period}:public_data/ip:#{req.ip}"
  throttle('public_data/ip', limit: 2, period: 1.minutes) do |req|
    req.ip if req.path.start_with?('/pc/v1/public_data')
  end

  self.throttled_responder = lambda do |_env|
    [429, # status
     {}, # headers
     ['throttling, retry later']] # body
  end
end

2. rack-cors 可以根据域名、访问方法、资源设置跨域请求cors

ruby 复制代码
# config/initializers/cors.rb

Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins '*'
    resource '*', headers: :any, methods: [:get, :post, :put, :patch, :delete, :options, :head],
  end
end
  • 复杂一些
ruby 复制代码
Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins 'localhost:3000', '127.0.0.1:3000',
            /\Ahttp:\/\/192\.168\.0\.\d{1,3}(:\d+)?\z/
            # regular expressions can be used here

    resource '/file/list_all/', :headers => 'x-domain-token'
    resource '/file/at/*',
        methods: [:get, :post, :delete, :put, :patch, :options, :head],
        headers: 'x-domain-token',
        expose: ['Some-Custom-Response-Header'],
        max_age: 600
        # headers to expose
  end

  allow do
    origins '*'
    resource '/public/*', headers: :any, methods: :get

    # Only allow a request for a specific host
    resource '/api/v1/*',
        headers: :any,
        methods: :get,
        if: proc { |env| env['HTTP_HOST'] == 'api.example.com' }
  end
end
相关推荐
HuiSoul2009 分钟前
Spring MVC
java·后端·spring mvc
Flobby52940 分钟前
Go 语言中的结构体、切片与映射:构建高效数据模型的基石
开发语言·后端·golang
摇滚侠2 小时前
面试实战 问题二十四 Spring 框架中循环依赖问题的解决方法
java·后端·spring
GetcharZp3 小时前
C++日志库新纪元:为什么说spdlog是现代C++开发者必备神器?
c++·后端
三木水4 小时前
Spring-rabbit使用实战七
java·分布式·后端·spring·消息队列·java-rabbitmq·java-activemq
快乐就是哈哈哈4 小时前
一篇文章带你玩转 EasyExcel(Java Excel 报表必学)
后端
快乐就是哈哈哈4 小时前
手把手教你用 Java 写出贪吃蛇小游戏(附源码)
后端
别来无恙1494 小时前
Spring Boot文件下载功能实现详解
java·spring boot·后端·数据导出
公众号_醉鱼Java5 小时前
Elasticsearch文档数迷思:为何count和stats结果打架?深度解析背后机制
后端·掘金·金石计划
程序员爱钓鱼5 小时前
Go语言实战案例:使用Gin处理路由参数和查询参数
后端