diff --git a/.buildpacks b/.buildpacks index 476f00b3e80..3a458c9402e 100644 --- a/.buildpacks +++ b/.buildpacks @@ -1,5 +1,5 @@ https://github.com/Starkast/heroku-buildpack-cmake#a243c67 https://github.com/emk/heroku-buildpack-rust#578d630 https://codon-buildpacks.s3.amazonaws.com/buildpacks/heroku/emberjs.tgz -https://github.com/travis-ci/nginx-buildpack.git#2fbde35 +https://github.com/heroku/heroku-buildpack-nginx.git#fbc49cd https://github.com/sgrif/heroku-buildpack-diesel#f605edd diff --git a/app/templates/policies.hbs b/app/templates/policies.hbs index 63ab418e7ae..c6025d666af 100644 --- a/app/templates/policies.hbs +++ b/app/templates/policies.hbs @@ -25,6 +25,12 @@ them. If necessary, the team may reach out to inactive maintainers and help mediate the process of ownership transfer.

+

+Using an automated tool to claim ownership of a large number of package names +is not permitted. We reserve the right to block traffic or revoke ownership +of any package we determine to have been claimed by an automated tool. +

+

Removal

diff --git a/config/nginx.conf.erb b/config/nginx.conf.erb index d10e5d586b6..95a52a34209 100644 --- a/config/nginx.conf.erb +++ b/config/nginx.conf.erb @@ -9,6 +9,11 @@ events { } http { + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 127.0.0.0/24; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + gzip on; gzip_comp_level 2; gzip_proxied any; @@ -28,6 +33,8 @@ http { client_body_timeout 30; client_max_body_size 50m; + limit_req_zone $remote_addr zone=publish:10m rate=1r/m; + upstream app_server { server localhost:8888 fail_timeout=0; } @@ -38,22 +45,30 @@ http { keepalive_timeout 5; location ~ ^/assets/ { - add_header Strict-Transport-Security "max-age=31536000" always; add_header X-Content-Type-Options nosniff; add_header Cache-Control public; root dist; expires max; } + add_header Strict-Transport-Security "max-age=31536000" always; + add_header Vary 'Accept, Accept-Encoding, Cookie'; + proxy_set_header Host $http_host; + proxy_set_header X-Real-Ip $remote_addr; + proxy_redirect off; + if ($http_x_forwarded_proto != 'https') { + rewrite ^ https://$host$request_uri? permanent; + } + location / { - add_header Strict-Transport-Security "max-age=31536000" always; - add_header Vary 'Accept, Accept-Encoding, Cookie'; - proxy_set_header Host $http_host; - proxy_redirect off; - if ($http_x_forwarded_proto != 'https') { - rewrite ^ https://$host$request_uri? permanent; - } proxy_pass http://app_server; } + + location ~ ^/api/v./crates/new$ { + proxy_pass http://app_server; + + limit_req zone=publish burst=10 nodelay; + limit_req_status 429; + } } } diff --git a/src/middleware/block_ips.rs b/src/middleware/block_ips.rs index 442ed3093e1..91914c28187 100644 --- a/src/middleware/block_ips.rs +++ b/src/middleware/block_ips.rs @@ -29,10 +29,10 @@ impl Handler for BlockIps { fn call(&self, req: &mut dyn Request) -> Result> { let has_blocked_ip = req .headers() - .find("X-Forwarded-For") + .find("X-Real-Ip") .unwrap() .iter() - .any(|v| v.split(", ").any(|ip| self.ips.iter().any(|x| x == ip))); + .any(|ip| self.ips.iter().any(|v| v == ip)); if has_blocked_ip { let body = format!( "We are unable to process your request at this time. \ diff --git a/src/middleware/log_request.rs b/src/middleware/log_request.rs index 2958a224024..ed9b72abc1c 100644 --- a/src/middleware/log_request.rs +++ b/src/middleware/log_request.rs @@ -38,7 +38,7 @@ impl Handler for LogRequests { level = level, method = req.method(), path = FullPath(req), - ip = request_header(req, "X-Forwarded-For"), + ip = request_header(req, "X-Real-Ip"), time_ms = response_time, user_agent = request_header(req, "User-Agent"), referer = request_header(req, "Referer"), // sic