Fix custom domains (#318)

* Configure trusted proxies * Fix tenant signup route not working * Use HTTP_X_FORWARDED_HOST if present * Update reserved subdomains
2025-12-15 11:17:49 +01:00 · 2024-03-24 18:06:36 +01:00
parent d17b45c5c4
commit b63956a173
5 changed files with 16 additions and 8 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -20,6 +20,7 @@ class ApplicationController < ActionController::Base

    def load_tenant_data
      current_tenant = get_tenant_from_request(request)
+      return unless current_tenant

      if current_tenant.status == "pending" and controller_name != "confirmation" and action_name != "show"
        redirect_to pending_tenant_path; return
@@ -29,7 +30,6 @@ class ApplicationController < ActionController::Base
        redirect_to blocked_tenant_path; return
      end

-      return unless current_tenant
      Current.tenant = current_tenant

      # Load tenant data
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -52,15 +52,16 @@ module ApplicationHelper

  def get_tenant_from_request(request)
    if Rails.application.multi_tenancy?
-      request_host_splitted = request.host.split('.')
+      request_host = request.headers['HTTP_X_FORWARDED_HOST'] || request.host
+      request_host_splitted = request_host.split('.')
      app_host_splitted = URI.parse(Rails.application.base_url).host.split('.')

      if app_host_splitted.join('.') == request_host_splitted.last(app_host_splitted.length).join('.')
-        return if request.subdomain.blank? or RESERVED_SUBDOMAINS.include?(request.subdomain)
+        return nil if request.subdomain.blank? or RESERVED_SUBDOMAINS.include?(request.subdomain)

        tenant = Tenant.find_by(subdomain: request.subdomain)
      else
-        tenant = Tenant.find_by(custom_domain: request.host)
+        tenant = Tenant.find_by(custom_domain: request_host)
      end
    else
      tenant = Tenant.first
--- a/config/application.rb
+++ b/config/application.rb
@@ -16,6 +16,12 @@ module App
    # -- all .rb files in that directory are automatically loaded after loading
    # the framework and any gems in your application.

+    # If configured, add trusted proxy to the list of trusted proxies
+    config.middleware.insert_after ActionDispatch::RemoteIp, Rack::Attack
+    if ENV["TRUSTED_PROXY"]
+      config.action_dispatch.trusted_proxies = ActionDispatch::RemoteIp::TRUSTED_PROXIES + [IPAddr.new(ENV["TRUSTED_PROXY"])]
+    end
+
    def base_url
      ENV["BASE_URL"]
    end
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -13,7 +13,7 @@ class Rack::Attack
  #
  # Key: "rack::attack:#{Time.now.to_i/:period}:req/ip:#{req.ip}"
  throttle('req/ip', limit: 300, period: 5.minutes) do |req|
-    req.ip # unless req.path.start_with?('/assets')
+    req.get_header("action_dispatch.remote_ip") # unless req.path.start_with?('/assets')
  end

  ### Prevent Brute-Force Login Attacks ###
@@ -30,7 +30,7 @@ class Rack::Attack
  # Key: "rack::attack:#{Time.now.to_i/:period}:logins/ip:#{req.ip}"
  throttle('logins/ip', limit: 5, period: 20.seconds) do |req|
    if req.path == '/users/sign_in' && req.post?
-      req.ip
+      req.get_header("action_dispatch.remote_ip")
    end
  end

@@ -53,7 +53,7 @@ class Rack::Attack
  # Throttle POST requests to /tenants by IP address
  throttle('tenant_signups/ip', limit: 5, period: 20.seconds) do |req|
    if req.path == '/tenants' && req.post?
-      req.ip
+      req.get_header("action_dispatch.remote_ip")
    end
  end

--- a/config/initializers/reserved_subdomains.rb
+++ b/config/initializers/reserved_subdomains.rb
@@ -9,5 +9,6 @@ RESERVED_SUBDOMAINS = [
  'admin',
  'logs',
  'dashboard',
-  'analytics'
+  'analytics',
+  'cname'
 ]