I am using the web_console gem and I would like to add some IPs to the whitelist. For reasons that would probably go to far to explain, can't simply add something to the config/application.rb or config/environments/development.rb. However I can create an initializer config/initializers/.
I simple tried this in config/initializers/99-webconsole.rb, but while the file is loaded (--> debug message is shown), the web console does not seem to pick up my settings.
Rails.application.configure do
config.web_console.whitelisted_ips = '10.10.0.0/16'
p "Debug: this is loaded."
end
I assume it's related to some kind of race condition? Providing the same line in config/environments/development.rb works, but as said, I sadly can not change that file.
Based on this code https://github.com/rails/web-console/blob/e3dcf4c588af526eafcf1ce9413e62d846599538/lib/web_console/railtie.rb#L59
maybe there is a code in your initializer that configuring config.web_console.permissions, so your whitelisted_ips config is ignored
whitelisted_ips is also deprecated
and have you checked that you are using v4.2.0, the permissions was buggy and fixed by this commit https://github.com/rails/web-console/commit/6336c89385b58e88b2661ea3dc42fe28651d6296
I needed the new function in ActiveStorage to resize_to_fill so I upgraded to Ruby 2.5.1 and Rails 6.
ruby '2.5.1'
gem "rails", github: "rails/rails"
When I stopped, then restarted my server (Cloud 9), I received the below Rails error:
Blocked host: xxxxxxx-xxxxxxx.c9users.io
To allow requests to xxxxxxx-xxxxxxx.c9users.io, add the following configuration:
Rails.application.config.hosts << "xxxxxxx-xxxxxxx.c9users.io"
I've tried restarting, new windows, but nothing worked. I've never seen this error before. I'm guessing the new version of Rails is doing something?
The Blocked Host is a new feature of Rails 6. You can add this pattern to your config/environments/development.rb to have no worries of that in case of dynamic urls
config.hosts << /[a-z0-9]+\.c9users\.io/
Also for ngrok user, just replace above c9users by ngrok
Update: ngrok is currently using - and . as subdomain in their URLs so this should be accurate config.hosts << /[a-z0-9-.]+\.ngrok\.io/
Source: https://github.com/MikeRogers0/puma-ngrok-tunnel
If you want to disable this functionality on your development environment, you can add config.hosts.clear to config/environments/development.rb.
Add this line to config/environments/development.rb
config.hosts << /.*\.ngrok\.io/
Restart your rails server and it will work
This article worked for me:
The first option is to whitelist the hostnames in config/environments/development.rb:
Rails.application.configure do
config.hosts << "hostname" # Whitelist one hostname
config.hosts << /application\.local\Z/ # Whitelist a test domain
end
The second option is to clear the entire whitelist, which lets through requests for all hostnames:
Rails.application.configure do
config.hosts.clear
end
Credit goes to Manfred Stienstra.
To allow requests from any subdomain of ngrok.io (or other service), the simplest solution is to prepend it with . like so:
# config/environments/development.rb
Rails.application.configure do
...
config.hosts << '.ngrok.io'
end
No need to use a regexp for subdomains like mentioned in some other answers.
PS: don't disable this functionality by doing config.hosts.clear as mentioned in some other answers, as this defeats the purpose of Rails' DNS rebinding protection, and under the right circumstances an outside attacker could gain full access to your local Rails app information (source).
In Rails 6 Action Pack introduced ActionDispatch::HostAuthorization and by default allows only [IPAddr.new(“0.0.0.0/0”), IPAddr.new(“::/0”), “localhost”]
You can add arrays of RegExp, Proc, IPAddr and String or a single String in the file config/application.rb like this
class Application < Rails::Application
config.hosts << "xxxxxxx-xxxxxxx.c9users.io"
...
end
From "https://drivy.engineering/rails-6-unnoticed-features":
Rails 6 added a new middleware called
ActionDispatch::HostAuthorization allowing you to whitelist some hosts
for your application and preventing Host header attacks. You can
easily configure it with a String, IPAddr, Proc and RegExp (useful
when dealing with wildcard domains).
I added Rails.application.config.hosts << "xxxxxxx-xxxxxxx.c9users.io" to config/application.rb and it fixed my test app fine. Then I did it to my real app and it also worked. The problem is, Devise threw an error as well, which apparently won't be fixed until at least Rails 6 beta. I guess I'm going back to Carrierwave for my image sizing needs until ActiveStorage is more mature.
In Rails 6, when you want to allow host from ngrok v2.3.40, add this config into config/environments/development.rb
config.hosts << /[a-z0-9\-]+\.ap\.ngrok\.io/
Restart server and enjoy
Add this line to config/environments/development.rb
config.hosts << /.+\.ngrok\.io:\d+/
Most of the responses I see are missing the port part of the URL. If you are accessing this URL in a specific port (typically :3000) the :\d+ part of the regular expression is necessary.
It will work after restarting your server.
config.hosts = nil
Use this in development.rb and and restart your rails server, it works for me, it will work.
HEADS UP : You may whitelist your host with the config application.config.hosts << 'your_unvalid_host_name' but still have the error.
The error message is currently not accurate in this case. See this issue.
You should not use hostname with underscore.
NB: The application.config.hosts.clear is working in this case.
In order to support hyphens in the ngrok subdomain name and region, you need to change config/environments/development.rb change config.hosts to /[a-z0-9.-]+.ngrok.io/
Example:
config.hosts = (config.hosts rescue []) << /[a-z0-9.-]+.ngrok.io/
1st run the ngrok 3000 in one of the terminals and next open the new terminal and run rails s... then u can see now ngrok and rails s both can run simultaneously...
What is the domain attribute in the Rails.application.configure do block?
Currently I have,
Rails.application.configure do
config.domain = 'www.my-site.com'
end
I couldn't find an explanation from Google, and it seems like everything works the same if I remove it.
Does it have a specific purpose?
This is not a standard Rails config, it was probably set by another dev. Check for occurrences on config.domain usage on the code and you will probably understand what it does.
I'd guess it is used at least in config/environments/production.rb as the default host for e-mail.
Having server issues with an app in Rails 5.0.0.beta2 trying to use ActionCable.
Using localhost:3000 works fine, as that is what most of ActionCable defaults to. But if I try to run the rails server on port 3001, it gives me Request origin not allowed: http://localhost:3001
The ActionCable docs mention using something like ActionCable.server.config.allowed_request_origins = ['http://localhost:3001'] which does work for me if I put it in config.ru
But that seems like a really weird place to put it. I feel like it should be able to go in an initializer file, or my development.rb environment config file.
To further prove my point that it should be allowed to go in there, the setting ActionCable.server.config.disable_request_forgery_protection = true works to ignore request origin, even when I include it in development.rb.
Why would ActionCable.server.config.disable_request_forgery_protection work in development.rb, but ActionCable.server.config.allowed_request_origins doesn't (but does work in config.ru)?
Not a pressing issue, since I have several options as a work around. I just want to know if I'm missing something obvious about how I imagine this should be working.
You can put
Rails.application.config.action_cable.allowed_request_origins = ['http://localhost:3001'] in your development.rb
See https://github.com/rails/rails/tree/master/actioncable#allowed-request-origins for more informations
For my flutter app, request origin was nil. So, needed to add nil in the list.
I have added this code in config/environments/development.rb, and it works!
config.action_cable.allowed_request_origins = [/http:\/\/*/, /https:\/\/*/, /file:\/\/*/, 'file://', nil]
From this answer, you can also add the following code to config/environments/development.rb to allow requests from both http and https:
Rails.application.configure do
# ...
config.action_cable.allowed_request_origins = [%r{https?://\S+}]
end
config.action_cable.allowed_request_origins accepts an array of strings or regular expressions as the documentation states:
Action Cable will only accept requests from specified origins, which
are passed to the server config as an array. The origins can be
instances of strings or regular expressions, against which a check for
the match will be performed.
The regex listed below will match both http and https urls from any domain so be careful when using them. It is just a matter of preference which one to use.
[%r{https?://\S+}] # Taken from this answer
[%r{http[s]?://\S+}]
[%r{http://*}, %r{https://*}]
[/http:\/\/*/, /https:\/\/*/]
I just deployed one of my apps to heroku. This app uses :
A default "myapp.herokuapp.com" address,
And I got a domain configured so that the app can be reached through "www.myapp.com".
And I noticed today the following issue : my application links are based on "http://myapp.herokuapp.com" domain (hence I get "http://myapp.herokuapp.com/page" URLs) even when I access the app using my domain name (I would then expect to get "www.myapp.com/page" URLs).
I tried to edit my production.rb and set the default_url_options :
# Base domain for url generation
config.action_controller.default_url_options = { :host => "www.myapp.com" }
But it doesn't change a thing. Also tried to change this in application.rb, just in case, but nothing happens either.
Any clue ?
Thanks a lot for your help guys !
Edit : This used to work as expected before today when I did the database migration to the new Heroku postgres thing. Don't know if this can have any impact.
If you're using _path methods for your urls, this is generating a relative path which is always based on the url you visit. If you're using controller/fragment caching, you should probably use _url instead in your views. You might also want to consider setting config.action_controller.perform_caching to false in your production.rb if all your pages have some controller logic.
See this page for more info on how caching works in Rails.
I had a similar problem. It was caused by the following line of code which was pointing to heroku.com and getting redirected to herokuapp.com
config.action_mailer.default_url_options = { :host => 'my-staging-domain.heroku.com' }
I mention it because it's the action_mailer.default_url_options yet clearly it affects the default url options outside of the scope of the mailer if you haven't explicitly set up the action_controller.default_url_options