Move TrackTrueClientIp middleware into saas engine (#2677)

The True-Client-IP header is set by Cloudflare and is only trustworthy
when behind a Cloudflare proxy. In non-Cloudflare deployments, this
header is attacker-controlled and can be used to spoof IP addresses.

Moving the middleware into the saas engine ensures it only loads for our
Cloudflare-fronted production deployment, not for self-hosted OSS
instances.

GHSA-cpch-9qg2-x8fq
This commit is contained in:
Mike Dalessio
2026-03-09 15:14:17 -04:00
committed by GitHub
parent 723c8180b4
commit b6ea558de8
3 changed files with 5 additions and 2 deletions
-24
View File
@@ -1,24 +0,0 @@
#
# Cloudflare sets a True-Client-IP header, which for most 37signals apps gets copied to
# X-Forwarded-For by an iRule on the F5 load balancers:
#
# https://github.com/basecamp/f5-tf/blob/1543f7bfa3961a79e397f80cf041d75567f1b2f8/ams-base/iRules/manage_x_forwarded.tcl
#
# However, for Fizzy the F5s are configured to do passthrough, so the header value isn't being
# copied for us. Let's do that bit of work here, before Rails' RemoteIp middleware.
#
class TrackTrueClientIp
def initialize(app)
@app = app
end
def call(env)
if env["HTTP_TRUE_CLIENT_IP"].present?
env["HTTP_X_FORWARDED_FOR"] = env["HTTP_TRUE_CLIENT_IP"]
end
@app.call(env)
end
end
Rails.application.config.middleware.insert_before ActionDispatch::RemoteIp, TrackTrueClientIp