Fix custom domains (#318)

* Configure trusted proxies
* Fix tenant signup route not working
* Use HTTP_X_FORWARDED_HOST if present
* Update reserved subdomains

app/controllers/application_controller.rb

@@ -20,6 +20,7 @@ class ApplicationController < ActionController::Base
 
     def load_tenant_data
       current_tenant = get_tenant_from_request(request)
+      return unless current_tenant
 
       if current_tenant.status == "pending" and controller_name != "confirmation" and action_name != "show"
         redirect_to pending_tenant_path; return
@@ -29,7 +30,6 @@ class ApplicationController < ActionController::Base
         redirect_to blocked_tenant_path; return
       end
 
-      return unless current_tenant
       Current.tenant = current_tenant
 
       # Load tenant data

app/helpers/application_helper.rb

@@ -52,15 +52,16 @@ module ApplicationHelper
 
   def get_tenant_from_request(request)
     if Rails.application.multi_tenancy?
-      request_host_splitted = request.host.split('.')
+      request_host = request.headers['HTTP_X_FORWARDED_HOST'] || request.host
+      request_host_splitted = request_host.split('.')
       app_host_splitted = URI.parse(Rails.application.base_url).host.split('.')
 
       if app_host_splitted.join('.') == request_host_splitted.last(app_host_splitted.length).join('.')
-        return if request.subdomain.blank? or RESERVED_SUBDOMAINS.include?(request.subdomain)
+        return nil if request.subdomain.blank? or RESERVED_SUBDOMAINS.include?(request.subdomain)
 
         tenant = Tenant.find_by(subdomain: request.subdomain)
       else
-        tenant = Tenant.find_by(custom_domain: request.host)
+        tenant = Tenant.find_by(custom_domain: request_host)
       end
     else
       tenant = Tenant.first

config/application.rb

@@ -16,6 +16,12 @@ module App
     # -- all .rb files in that directory are automatically loaded after loading
     # the framework and any gems in your application.
 
+    # If configured, add trusted proxy to the list of trusted proxies
+    config.middleware.insert_after ActionDispatch::RemoteIp, Rack::Attack
+    if ENV["TRUSTED_PROXY"]
+      config.action_dispatch.trusted_proxies = ActionDispatch::RemoteIp::TRUSTED_PROXIES + [IPAddr.new(ENV["TRUSTED_PROXY"])]
+    end
+
     def base_url
       ENV["BASE_URL"]
     end

config/initializers/rack_attack.rb

@@ -13,7 +13,7 @@ class Rack::Attack
   #
   # Key: "rack::attack:#{Time.now.to_i/:period}:req/ip:#{req.ip}"
   throttle('req/ip', limit: 300, period: 5.minutes) do |req|
-    req.ip # unless req.path.start_with?('/assets')
+    req.get_header("action_dispatch.remote_ip") # unless req.path.start_with?('/assets')
   end
 
   ### Prevent Brute-Force Login Attacks ###
@@ -30,7 +30,7 @@ class Rack::Attack
   # Key: "rack::attack:#{Time.now.to_i/:period}:logins/ip:#{req.ip}"
   throttle('logins/ip', limit: 5, period: 20.seconds) do |req|
     if req.path == '/users/sign_in' && req.post?
-      req.ip
+      req.get_header("action_dispatch.remote_ip")
     end
   end
 
@@ -53,7 +53,7 @@ class Rack::Attack
   # Throttle POST requests to /tenants by IP address
   throttle('tenant_signups/ip', limit: 5, period: 20.seconds) do |req|
     if req.path == '/tenants' && req.post?
-      req.ip
+      req.get_header("action_dispatch.remote_ip")
     end
   end
 

config/initializers/reserved_subdomains.rb

@@ -9,5 +9,6 @@ RESERVED_SUBDOMAINS = [
   'admin',
   'logs',
   'dashboard',
-  'analytics'
+  'analytics',
+  'cname'
 ]