Fix custom domains (#318)

* Configure trusted proxies
* Fix tenant signup route not working
* Use HTTP_X_FORWARDED_HOST if present
* Update reserved subdomains

config/application.rb

@@ -16,6 +16,12 @@ module App
     # -- all .rb files in that directory are automatically loaded after loading
     # the framework and any gems in your application.
 
+    # If configured, add trusted proxy to the list of trusted proxies
+    config.middleware.insert_after ActionDispatch::RemoteIp, Rack::Attack
+    if ENV["TRUSTED_PROXY"]
+      config.action_dispatch.trusted_proxies = ActionDispatch::RemoteIp::TRUSTED_PROXIES + [IPAddr.new(ENV["TRUSTED_PROXY"])]
+    end
+
     def base_url
       ENV["BASE_URL"]
     end

config/initializers/rack_attack.rb

@@ -13,7 +13,7 @@ class Rack::Attack
   #
   # Key: "rack::attack:#{Time.now.to_i/:period}:req/ip:#{req.ip}"
   throttle('req/ip', limit: 300, period: 5.minutes) do |req|
-    req.ip # unless req.path.start_with?('/assets')
+    req.get_header("action_dispatch.remote_ip") # unless req.path.start_with?('/assets')
   end
 
   ### Prevent Brute-Force Login Attacks ###
@@ -30,7 +30,7 @@ class Rack::Attack
   # Key: "rack::attack:#{Time.now.to_i/:period}:logins/ip:#{req.ip}"
   throttle('logins/ip', limit: 5, period: 20.seconds) do |req|
     if req.path == '/users/sign_in' && req.post?
-      req.ip
+      req.get_header("action_dispatch.remote_ip")
     end
   end
 
@@ -53,7 +53,7 @@ class Rack::Attack
   # Throttle POST requests to /tenants by IP address
   throttle('tenant_signups/ip', limit: 5, period: 20.seconds) do |req|
     if req.path == '/tenants' && req.post?
-      req.ip
+      req.get_header("action_dispatch.remote_ip")
     end
   end
 

config/initializers/reserved_subdomains.rb

@@ -9,5 +9,6 @@ RESERVED_SUBDOMAINS = [
   'admin',
   'logs',
   'dashboard',
-  'analytics'
+  'analytics',
+  'cname'
 ]