date:20161206

Re: Restrict certain URLs to certain IP addresses or ranges.

2016-12-06 Thread Steve Button

That's right, we just want to restrict admin access to a few of our egress 
addresses which get exposed to the internet from inside the company or VPN. 

I'm not convinced that IP spoofing is "dead simple" and most people would 
not know which address(es) they needed to spoof anyway.

This would prevent a casual attacker from attempting. 

I will take a look at Rack::Attack

Thanks,

Steve

On Tuesday, 6 December 2016 13:01:39 UTC, Jason FB wrote:
>
> I'm sorry you are right... I had meant Rack::Attack not Rack::Timeout, I 
> confused the two in my head. You are right I was referring to Rack::Attack
>
> If a known administrator has a fixed IP address, I disagree that "IP based 
> security generally adds no real world actual security"
>
> Perhaps you are saying this in the context of *IP blocking*, which I 
> agree offers little help in a world where it is easy for someone to switch 
> IPs after they are blacklisted.
>
> However, the original question was to whitelist (not blacklist) an *known 
> IP* address for a *known user*. This seems like a highly appropriate 
> security whitelisting strategy and is widely used across the internet. 
>
> (Blacklisting bad actors, on the other hand, is indeed a cat & mouse game 
> that probably won't work out too well.)
>
>
>
>
> On Dec 6, 2016, at 7:28 AM, Neil Middleton  > wrote:
>
> Sorry - but this is incorrect.
>
> Rack-timeout only ensures that requests that are hitting a predefined 
> service time are killed off rather than being allowed to run on consuming 
> resources.  At the very minimum Rack Timeout should be installed with a 
> setting of 30s, the same time that the Heroku router will kill a request 
> with an H12 error.
>
> If you're wanting any sort of DDoS protection and so on, then Rack::Attack 
> is the one to go for.
>
> However, like I said earlier - IP based security generally adds no real 
> world actual security.
>
>
> 
>
> Jason Fleetwood-Boldt
> te...@datatravels.com 
> http://www.jasonfleetwoodboldt.com/writing
>
> If you'd like to reply by encrypted email you can find my public key on 
> jasonfleetwoodboldt.com (more about setting GPG: https://gpgtools.org)  
>
>

-- 
-- 
You received this message because you are subscribed to the Google
Groups "Heroku" group.

To unsubscribe from this group, send email to
heroku+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/heroku?hl=en_US?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"Heroku Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to heroku+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Restrict certain URLs to certain IP addresses or ranges.

2016-12-06 Thread Jason Fleetwood-Boldt

I'm sorry you are right... I had meant Rack::Attack not Rack::Timeout, I 
confused the two in my head. You are right I was referring to Rack::Attack

If a known administrator has a fixed IP address, I disagree that "IP based 
security generally adds no real world actual security"

Perhaps you are saying this in the context of IP blocking, which I agree offers 
little help in a world where it is easy for someone to switch IPs after they 
are blacklisted.

However, the original question was to whitelist (not blacklist) an known IP 
address for a known user. This seems like a highly appropriate security 
whitelisting strategy and is widely used across the internet. 

(Blacklisting bad actors, on the other hand, is indeed a cat & mouse game that 
probably won't work out too well.)




> On Dec 6, 2016, at 7:28 AM, Neil Middleton  wrote:
> 
> Sorry - but this is incorrect.
> 
> Rack-timeout only ensures that requests that are hitting a predefined service 
> time are killed off rather than being allowed to run on consuming resources.  
> At the very minimum Rack Timeout should be installed with a setting of 30s, 
> the same time that the Heroku router will kill a request with an H12 error.
> 
> If you're wanting any sort of DDoS protection and so on, then Rack::Attack is 
> the one to go for.
> 
> However, like I said earlier - IP based security generally adds no real world 
> actual security.



Jason Fleetwood-Boldt
t...@datatravels.com
http://www.jasonfleetwoodboldt.com/writing

If you'd like to reply by encrypted email you can find my public key on 
jasonfleetwoodboldt.com  (more about setting 
GPG: https://gpgtools.org) 

-- 
-- 
You received this message because you are subscribed to the Google
Groups "Heroku" group.

To unsubscribe from this group, send email to
heroku+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/heroku?hl=en_US?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"Heroku Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to heroku+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Restrict certain URLs to certain IP addresses or ranges.

2016-12-06 Thread Neil Middleton

Sorry - but this is incorrect.

Rack-timeout only ensures that requests that are hitting a predefined
service time are killed off rather than being allowed to run on consuming
resources.  At the very minimum Rack Timeout should be installed with a
setting of 30s, the same time that the Heroku router will kill a request
with an H12 error.

If you're wanting any sort of DDoS protection and so on, then Rack::Attack
is the one to go for.

However, like I said earlier - IP based security generally adds no real
world actual security.

On Tue, Dec 6, 2016 at 12:13 PM Jason Fleetwood-Boldt 
wrote:

I recommend this great gem for this task, which also serves a double
> purpose of fending off DDOS attacks (which every app should have installed)
>
> https://github.com/heroku/rack-timeout
>
> Using rack-timeout you can set up pretty much any Rack-level restrictions
> you want, including a restriction for a specific part of the app to be
> available only to a whitelisted set of IPs
>

-- 
-- 
You received this message because you are subscribed to the Google
Groups "Heroku" group.

To unsubscribe from this group, send email to
heroku+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/heroku?hl=en_US?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"Heroku Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to heroku+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Restrict certain URLs to certain IP addresses or ranges.

2016-12-06 Thread Jason Fleetwood-Boldt


There really isn't such a thing as "IP spoofing." This SO post discusses the 
matter: 
http://stackoverflow.com/questions/12736872/can-someone-spoof-an-ip-address-to-any-number


On Heroku, there is indeed a special consideration for IP address: they do not 
behave the way normal Rails apps do. Instead, you'll want to examine this:

request.headers['X-Forwarded-For']

I recommend this great gem for this task, which also serves a double purpose of 
fending off DDOS attacks (which every app should have installed)

https://github.com/heroku/rack-timeout

Using rack-timeout you can set up pretty much any Rack-level restrictions you 
want, including a restriction for a specific part of the app to be available 
only to a whitelisted set of IPs




> On Dec 6, 2016, at 5:34 AM, Neil Middleton  wrote:
> 
> This is something you need to do within your app.  There's nothing that does 
> this at the platform level.
> Saying that though, IP spoofing is dead easy so I would question the merit of 
> doing this at all.
> 
> On Tue, 6 Dec 2016, 10:31 Steve Button,  > wrote:
> Hi, 
> 
> Been trying to google for this for a while, and nothing recent + nothing 
> seems to actually answer the question.
> 
> We have a /admin area within our site, which we would like to restrict to a 
> certain range of IP addresses (or list of IPs). 
> 
> Can this be achieved easily within Heroku?
> 
> Thanks,
> 
> 
> -- 
> -- 
> You received this message because you are subscribed to the Google
> Groups "Heroku" group.
>  
> To unsubscribe from this group, send email to
> heroku+unsubscr...@googlegroups.com 
> 
> For more options, visit this group at
> http://groups.google.com/group/heroku?hl=en_US?hl=en 
> 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "Heroku Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to heroku+unsubscr...@googlegroups.com 
> .
> For more options, visit https://groups.google.com/d/optout 
> .
> 
> -- 
> -- 
> You received this message because you are subscribed to the Google
> Groups "Heroku" group.
>  
> To unsubscribe from this group, send email to
> heroku+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/heroku?hl=en_US?hl=en 
> 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "Heroku Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to heroku+unsubscr...@googlegroups.com 
> .
> For more options, visit https://groups.google.com/d/optout 
> .



Jason Fleetwood-Boldt
t...@datatravels.com
http://www.jasonfleetwoodboldt.com/writing

If you'd like to reply by encrypted email you can find my public key on 
jasonfleetwoodboldt.com  (more about setting 
GPG: https://gpgtools.org) 

-- 
-- 
You received this message because you are subscribed to the Google
Groups "Heroku" group.

To unsubscribe from this group, send email to
heroku+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/heroku?hl=en_US?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"Heroku Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to heroku+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Restrict certain URLs to certain IP addresses or ranges.

2016-12-06 Thread Neil Middleton

This is something you need to do within your app.  There's nothing that
does this at the platform level.

Saying that though, IP spoofing is dead easy so I would question the merit
of doing this at all.

On Tue, 6 Dec 2016, 10:31 Steve Button,  wrote:

> Hi,
>
> Been trying to google for this for a while, and nothing recent + nothing
> seems to actually answer the question.
>
> We have a /admin area within our site, which we would like to restrict to
> a certain range of IP addresses (or list of IPs).
>
> Can this be achieved easily within Heroku?
>
> Thanks,
>
> --
> --
> You received this message because you are subscribed to the Google
> Groups "Heroku" group.
>
> To unsubscribe from this group, send email to
> heroku+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/heroku?hl=en_US?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Heroku Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to heroku+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
-- 
You received this message because you are subscribed to the Google
Groups "Heroku" group.

To unsubscribe from this group, send email to
heroku+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/heroku?hl=en_US?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"Heroku Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to heroku+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Restrict certain URLs to certain IP addresses or ranges.

2016-12-06 Thread Steve Button

Hi, 

Been trying to google for this for a while, and nothing recent + nothing 
seems to actually answer the question.

We have a /admin area within our site, which we would like to restrict to a 
certain range of IP addresses (or list of IPs). 

Can this be achieved easily within Heroku?

Thanks,

-- 
-- 
You received this message because you are subscribed to the Google
Groups "Heroku" group.

To unsubscribe from this group, send email to
heroku+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/heroku?hl=en_US?hl=en

--- 
You received this message because you are subscribed to the Google Groups 
"Heroku Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to heroku+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Restrict certain URLs to certain IP addresses or ranges.

Re: Restrict certain URLs to certain IP addresses or ranges.

Re: Restrict certain URLs to certain IP addresses or ranges.

Re: Restrict certain URLs to certain IP addresses or ranges.

Re: Restrict certain URLs to certain IP addresses or ranges.

Restrict certain URLs to certain IP addresses or ranges.

6 matches

Site Navigation

Mail list logo

Footer information