ruby-on-rails – Docker中的端口转发Rails应用程序似乎导致CSRF异常

前端之家收集整理的这篇文章主要介绍了ruby-on-rails – Docker中的端口转发Rails应用程序似乎导致CSRF异常前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

我有一个Rails应用程序在Docker容器中运行,该容器被分配了一个ip 172.17.0.3.对主机51.x.x.x的传入请求将转发到172.17.0.3中的rails应用程序.更具体地说,这样做是这样的:

docker run -p 8080:8080 rails_app

但是,Rails应用程序抛出当用户尝试访问某些页面时无法验证CSRF令牌真实性错误.我怀疑Rails认为传入的请求是攻击,因为目标的ip与Rails应用程序的ip不匹配 – 即用户请求被定向到主机51.xxx,而Rails实际位置是172.17 .0.3

有什么方法让我告诉Rails这些请求是合法的吗?作为附加信息,我使用devise进行身份验证,将unicorn用作服务器.

你们中的一些人可能会建议用::: exception to:null_session更改protect_from_forgery,但是当没有放在代理后面时应用程序工作正常.此外,当我改变那部分时,一些逻辑将不起作用,因为我认为设置会混淆用户会话的处理方式.

这是我的网络布局:

(user from public network) ----> (proxy) ----> (rails app on a private network)
        (202.x.x.x)            (51.x.x.x)               (172.x.x.x)

编辑:
该应用程序处于开发设置中.这是我在log / development.log文件中得到的错误.

Started POST "/register" for 202.x.x.x at 2014-11-18 02:27:11 +0000
Processing by UsersController#create as HTML
  Parameters: {"utf8"=>"✓","authenticity_token"=>"aBG3nIAKK1ALMJ1DDYFlMkmqISMBMZc3iLmaeD2byG8=","user"=>{"email"=>"email@gmail.com","password"=>"[FILTERED]","password_confirmation"=>"[FILTERED]"}}
Can't verify CSRF token authenticity
Completed 422 Unprocessable Entity in 2ms

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
  actionpack (4.1.4) lib/action_controller/Metal/request_forgery_protection.rb:176:in `handle_unverified_request'
  actionpack (4.1.4) lib/action_controller/Metal/request_forgery_protection.rb:202:in `handle_unverified_request'
  devise (3.4.0) lib/devise/controllers/helpers.rb:251:in `handle_unverified_request'
  actionpack (4.1.4) lib/action_controller/Metal/request_forgery_protection.rb:197:in `verify_authenticity_token'
  activesupport (4.1.4) lib/active_support/callbacks.rb:424:in `block in make_lambda'
  activesupport (4.1.4) lib/active_support/callbacks.rb:160:in `call'
  activesupport (4.1.4) lib/active_support/callbacks.rb:160:in `block in halting'
  activesupport (4.1.4) lib/active_support/callbacks.rb:166:in `call'
  activesupport (4.1.4) lib/active_support/callbacks.rb:166:in `block in halting'
  activesupport (4.1.4) lib/active_support/callbacks.rb:149:in `call'
  activesupport (4.1.4) lib/active_support/callbacks.rb:149:in `block in halting_and_conditional'
  activesupport (4.1.4) lib/active_support/callbacks.rb:149:in `call'
  activesupport (4.1.4) lib/active_support/callbacks.rb:149:in `block in halting_and_conditional'
activesupport (4.1.4) lib/active_support/callbacks.rb:86:in `run_callbacks'
  actionpack (4.1.4) lib/abstract_controller/callbacks.rb:19:in `process_action'
  actionpack (4.1.4) lib/action_controller/Metal/rescue.rb:29:in `process_action'
  actionpack (4.1.4) lib/action_controller/Metal/instrumentation.rb:31:in `block in process_action'
  activesupport (4.1.4) lib/active_support/notifications.rb:159:in `block in instrument'
  activesupport (4.1.4) lib/active_support/notifications/instrumenter.rb:20:in `instrument'
  activesupport (4.1.4) lib/active_support/notifications.rb:159:in `instrument'
  actionpack (4.1.4) lib/action_controller/Metal/instrumentation.rb:30:in `process_action'
  actionpack (4.1.4) lib/action_controller/Metal/params_wrapper.rb:250:in `process_action'
  activerecord (4.1.4) lib/active_record/railties/controller_runtime.rb:18:in `process_action'
  actionpack (4.1.4) lib/abstract_controller/base.rb:136:in `process'
  actionview (4.1.4) lib/action_view/rendering.rb:30:in `process'
  actionpack (4.1.4) lib/action_controller/Metal.rb:196:in `dispatch'
  actionpack (4.1.4) lib/action_controller/Metal/rack_delegation.rb:13:in `dispatch'
  actionpack (4.1.4) lib/action_controller/Metal.rb:232:in `block in action'
  actionpack (4.1.4) lib/action_dispatch/routing/route_set.rb:82:in `call'
  actionpack (4.1.4) lib/action_dispatch/routing/route_set.rb:82:in `dispatch'
  actionpack (4.1.4) lib/action_dispatch/routing/route_set.rb:50:in `call'
  actionpack (4.1.4) lib/action_dispatch/routing/mapper.rb:45:in `call'
  actionpack (4.1.4) lib/action_dispatch/journey/router.rb:71:in `block in call'
  actionpack (4.1.4) lib/action_dispatch/journey/router.rb:59:in `each'
  actionpack (4.1.4) lib/action_dispatch/journey/router.rb:59:in `call'
  actionpack (4.1.4) lib/action_dispatch/routing/route_set.rb:678:in `call'
  omniauth (1.2.2) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.2.2) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.2.2) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.2.2) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.2.2) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
  warden (1.2.3) lib/warden/manager.rb:35:in `block in call'
  warden (1.2.3) lib/warden/manager.rb:34:in `catch'
  warden (1.2.3) lib/warden/manager.rb:34:in `call'
  rack (1.5.2) lib/rack/etag.rb:23:in `call'
  rack (1.5.2) lib/rack/conditionalget.rb:35:in `call'
  rack (1.5.2) lib/rack/head.rb:11:in `call'
  actionpack (4.1.4) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack (4.1.4) lib/action_dispatch/middleware/flash.rb:254:in `call'
  rack (1.5.2) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.5.2) lib/rack/session/abstract/id.rb:220:in `call'
  actionpack (4.1.4) lib/action_dispatch/middleware/cookies.rb:560:in `call'
  activerecord (4.1.4) lib/active_record/query_cache.rb:36:in `call'
  activerecord (4.1.4) lib/active_record/connection_adapters/abstract/connection_pool.rb:621:in `call'
  activerecord (4.1.4) lib/active_record/migration.rb:380:in `call'
  actionpack (4.1.4) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  activesupport (4.1.4) lib/active_support/callbacks.rb:82:in `run_callbacks'
  actionpack (4.1.4) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (4.1.4) lib/action_dispatch/middleware/reloader.rb:73:in `call'
  actionpack (4.1.4) lib/action_dispatch/middleware/remote_ip.rb:76:in `call'
  actionpack (4.1.4) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  actionpack (4.1.4) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.1.4) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.1.4) lib/rails/rack/logger.rb:20:in `block in call'
  activesupport (4.1.4) lib/active_support/tagged_logging.rb:68:in `block in tagged'
  activesupport (4.1.4) lib/active_support/tagged_logging.rb:26:in `tagged'
  activesupport (4.1.4) lib/active_support/tagged_logging.rb:68:in `tagged'
  railties (4.1.4) lib/rails/rack/logger.rb:20:in `call'
  actionpack (4.1.4) lib/action_dispatch/middleware/request_id.rb:21:in `call'
  rack (1.5.2) lib/rack/methodoverride.rb:21:in `call'
  rack (1.5.2) lib/rack/runtime.rb:17:in `call'
  activesupport (4.1.4) lib/active_support/cache/strategy/local_cache_middleware.rb:26:in `call'
  rack (1.5.2) lib/rack/lock.rb:17:in `call'
  actionpack (4.1.4) lib/action_dispatch/middleware/static.rb:64:in `call'
  rack-cors (0.2.9) lib/rack/cors.rb:54:in `call'
  rack (1.5.2) lib/rack/sendfile.rb:112:in `call'
  railties (4.1.4) lib/rails/engine.rb:514:in `call'
  railties (4.1.4) lib/rails/application.rb:144:in `call'
  rack (1.5.2) lib/rack/lint.rb:49:in `_call'
  rack (1.5.2) lib/rack/lint.rb:37:in `call'
  rack (1.5.2) lib/rack/showexceptions.rb:24:in `call'
  rack (1.5.2) lib/rack/commonlogger.rb:33:in `call'
  sinatra (1.4.5) lib/sinatra/base.rb:217:in `call'
  rack (1.5.2) lib/rack/chunked.rb:43:in `call'
  rack (1.5.2) lib/rack/content_length.rb:14:in `call'
  unicorn (4.8.3) lib/unicorn/http_server.rb:576:in `process_client'
  unicorn (4.8.3) lib/unicorn/http_server.rb:670:in `worker_loop'
  unicorn (4.8.3) lib/unicorn/http_server.rb:525:in `spawn_missing_workers'
  unicorn (4.8.3) lib/unicorn/http_server.rb:140:in `start'
  unicorn (4.8.3) bin/unicorn:126:in `required)>'
最佳答案
从粗略阅读’protect_from_forgery method‘,我们发现以下内容

  def protect_from_forgery(options = {})
    self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
    self.request_forgery_protection_token ||= :authenticity_token
    prepend_before_action :verify_authenticity_token,options
    append_after_action :verify_same_origin_request
  end

其中有一个名为’verify_authenticity_token‘的前动作回调.如果我们查看其来源,我们会发现以下内容

  def verify_authenticity_token
    mark_for_same_origin_verification!

    if !verified_request?
      logger.warn "Can't verify CSRF token authenticity" if logger
      handle_unverified_request
    end
  end

从那里我们注意到它叫’verified_request?‘.

  def verified_request?
    !protect_against_forgery? || request.get? || request.head? ||
      form_authenticity_token == params[request_forgery_protection_token] ||
      form_authenticity_token == request.headers['X-CSRF-Token']
  end

鉴于提出的例外的性质,我认为这些条件中的一个或多个未得到满足.我不认为它与IP寻址有任何关系.

猜你在找的Docker相关文章