I am running a Ruby on Rails application on Heroku and my database is in someother place where it will be accessed with certain whitelisted IP's only but since heroku doesn't provide dynamic IP's I thought of using proximo.
Please help me how to connect to remote database with proximo from heroku.
We had a difficult time achieving this (we ended up whitelisting every domain)
IP's
The problem is Dyno's are hosted on AWS' EC2 cloud - meaning they aren't actually Heroku's servers. This causes a lot of problems, as the IPs are all shrouded & change:
Because the Heroku dyno grid is dynamic in nature, the IP address that
a given dyno will be assigned over time will be both dynamic and
unpredictable. This dynamic sourcing of outbound traffic can make it
difficult to integrate with APIs or make connections through firewalls
that require IP-based whitelisting
After seeing the proximo addon, you may be able to achieve what you need using a static IP
Proximo
According to the proximo tutorial on Heroku's site, you should be able to install the add-on & receive your outbound IP relatively simply:
$ heroku addons:add proximo:development
Adding proximo to sharp-mountain-4005⦠done, v18 ($5/mo)
Your static IP address is 127.0.0.1
You should then be able to use this on your db host - to allow the IP
No ruby database adapters natively support proxy connections so for database access you need to proxy your calls via a SOCKS proxy. A SOCKS wrapper script to do this is available as part of our QuotaGuard Static Heroku add-on.
You configure this by prepending the call to the wrapper script in your Procfile so should work with minimal integration.
web: bin/qgsocksify bundle exec unicorn -p $PORT -c ./config/unicorn.rb
By default this wrapper routes all outbound TCP traffic via the proxy but there is additional configuration available to limit this to just your database traffic.
A workaround is to whitelist all IP adresses from your SQL database provider admin interface:
You can do this by whitelisting 0.0.0.0/0. (In Google Cloud SQL, you can do this under "authorized networks")
If you do so, it is highly recommended to configure your connection to use SSL and to only allow SSL connections to your database.
You can configure NGINX as your reverse proxy to allow your Heroku app to connect to the IP address(which is your NGINX server and whitelisted), the reverse proxy will connect to the DB.
https://stackoverflow.com/a/27874505/1345865
http://blog.talenox.com/post/107675614745/how-to-setup-static-ip-on-heroku
Related
I have ssh'd into my rasberry pi and built a rails application.
Now how do I load the rails app from another machine?
I have tried IP:port in a web browser, but this fails.
Can I use ssh from a web browser to load the rails server process?
Are there gems I need to install to do this?
Is there any good documentation that I have missed?
SOLUTION
use ngrok to tunnel https://medium.com/#karimbutt/using-ngrok-to-create-a-publicly-accessible-web-facing-raspberry-pi-server-35deef8c816a#.sraso7zar
Maybe the problem is with the IP address you're trying to use. Servers don't necessarily forward their public IP traffic to localhost automatically.
Perhaps you could configure the IP address somehow, I don't know (others might?). Alternatively, you have a use a "local tunnel" service like ngrok or localtunnel. What these do is create a public URL for your localhost (i.e. your "loopback" address), so anyone can access it.
I spoke with a Ngrok author via email. He ensured me that I shouldn't need to expect any downtime from the service or to have to manually restart it. Although keep in mind that if you're on the free plan, whenever you restart Ngrok you're going to get a different URL. He also described it as kind of like a "souped up SSH -R"
I have a rails 3.2 app running on Heroku which needs to proxy requests to an external API from a static IP address. Since Heroku doesn't offer elastic IPs, and Proximo is too expensive and limiting for the number of requests I need to make, I set up a simple forward proxy on an AWS EC2 micro instance in US-East using mod proxy.
I can proxy requests from my app's local environment just fine. However, requests from heroku time out. My thinking is that, since I can proxy from my local environment, the point of failure must be the connection between Heroku and my Proxy box. I've tried the answer given here: Security settings between ec2 and heroku but it didn't work. I've even tried allowing all inbound access on port 80 (even though that's terrible for the internet).
So, my question is, what are the security settings that I should enable for my ec2 instance in order to allow Heroku to proxy through it?
Heroku dynos are all running on machines within Amazon EC2 us-east-1 data center. They do not have any restrictions/firewalls on outgoing connections.
As long as you have the proper Security Group settings to allow the connections from your dynos to your own EC2 instance, you should be good.
It sounds like you haven't correctly opened up access from within us-east-1 to your instance. Double check your security group.
Information on how to edit the correct security group:
Check what security group you are using for your instance. See value
of Security Groups column in row of your instance. It's important -
I changed rules for default group, but my instance was under
quickstart-1 group when I had similar issue.
Go to Security Groups tab, go to Inbound tab, select HTTP in Create
a new rule combo-box, leave 0.0.0.0/0 in source field and click Add
Rule, then Apply rule changes.
I am trying to get client ip in Rails 3.
Application is installed in cloud hosting, with SSL, and nginx server.
I wrote some code to get client ip.
request.remote_ip
request.env['HTTP_X_FORWARDED_FOR']
But it returns wrong address, like '10.159.21.86'
Is there any issue related Nginx server, or SSL installation?
def remote_ip
#remote_ip ||= (#env["action_dispatch.remote_ip"] || ip).to_s
end
request.remote_ip gets the ip address of the client outside of local proxies but If your request is coming from your development machine and the development machine is where your server is, probably you will get 127.0.0.1 or wrong ip But if the request is coming from another machine, this will be the IP the remote machine. However, under various conditions this may not be the real IP of the machine (machine behind proxy, using tor or other tool to hide it e.t.c.). so you can also try:-
request.env['REMOTE_ADDR']
You should visit this post written by rails contributor describing Repeated headers and Ruby web servers
I believe the issue you have is the same described in the following Engine Yard support request: HAProxy, SSL Requests & Request IP Addresses.
Apparently there is a workaround, but you are supposed to contact them directly to know what it is.
The docs team is working on formal documentation, for the short term, please open a ticket and a support engineer can help out.
If you're using SSL with HAProxy (the default configuration for multi-instance environments) then it will not be able to pull the remote IP due to the hand-off from HAProxy to Nginx. We have a solution that uses stunnel to get around this but since all SSL decryption is done on the App Master instance, if you have more than about five instances then performance will suffer.
The other option is to use Elastic Load Balancer instead of HAProxy. The documentation for that is at https://support.cloud.engineyard.com/entries/21715452-Use-Elastic-Load-Balancing-with-Engine-Yard-Cloud.
Evan
I have two heroku apps accessing the same Redis database. I need to make sure only these two servers can access it.
Normally, I can do this by setting firewall through IP. However, Heroku uses dyno system, and does not have fixed IP for servers.
I found proximo addon, which can be used to set an IP for each of my apps. But I would like to know if there is a simpler solution for this issue.
You don't have any control or guarantee about the servers running your application on Heroku or their IP addresses.
You should use a secondary authentication mechanism, like redis's built in auth scheme for connections to authenticate the incoming request.
This is the mechanism most of the hosted redis providers on Heroku use (RedisToGo, OpenRedis, etc).
Is it possible to make requests for example with Savon through something like ssh-tunnel. I can run this stuff from my stage server whose IP is whitelisted in the service I'm sending requests to. But of course I want to do the development on my computer :P so is there any option to do that? I've already tried savon's proxy: option in many combinations such as
proxy: "http://name:password#my_stage_server.com"
etc. I'm using Ruby on Rails.
SSH tunnels are the way to go. They are easy to set up, use this in one terminal session:
ssh -L 8080:servicehost:80 myuser#stagingserver
Once established, leave it open. It'll open port 8080 on your localhost as a tunnel to the TCP service at host:443. Point savon to http://localhost:8080/some/url/to/service to access the service running on http://servicehost/some/url/to/service.
If you need this frequently, it's convenient to add it to your ssh config file, which is located at ~/.ssh/config. It's a plain text file, the example above would look like this:
Host staging
HostName hostname.domain
LocalForward 8080 servicehost:80
User myuser
With this configuration you can open the tunnel by simply issuing ssh staging. There are more options you could set, please refer to the MAN page for details.
Hostname resolution
Keep in mind that the hostname servicehost must be resolvable from your staging server, not your development machine. You can use IP addresses, too.