Feature/per app access

CHANGELOG.md

@@ -6,6 +6,7 @@ This project makes use of the [Sementic Versioning](http://semver.org/)
 
 ### Added
 - Set the max db `pool` size via an ENV var called `DB_POOL_SIZE`
+- Ability to define per-app IP-address white and blacklists that may access the app.
 
 ## 2.5.0 - 2015-04-30
 

vendor/cookbooks/rails/libraries/default.rb

@@ -16,5 +16,16 @@ def nginx_custom_configuration(app_info)
 
       empty_conf.merge(app_info["nginx_custom"] || {})
     end
+
+    ##
+    # Create a rendered set of access and deny rules for nginx conf.
+    # Ensures we always have a string to render.
+    def nginx_access(app_info)
+      # Ensure we always have a hash, and dup to make it writable
+      access = app_info.fetch("access", {}).dup
+      access["allowed"] ||= []
+      access["denied"]  ||= []
+      access
+    end
   end
 end

vendor/cookbooks/rails/metadata.rb

@@ -4,7 +4,7 @@
 license          "MIT"
 description      "Installs/Configures rails"
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          "0.3.1"
+version          "0.4.1"
 depends "rbenv", "~> 1.7.1"
 depends "sudo", "> 1.2.0"
 depends "database"

vendor/cookbooks/rails/recipes/default.rb

@@ -119,7 +119,8 @@
         redirect_domain_names: app_info["redirect_domain_names"],
         client_max_body_size: app_info["client_max_body_size"],
         enable_ssl: File.exists?("#{applications_root}/#{app}/shared/config/certificate.crt"),
-        custom_configuration: nginx_custom_configuration(app_info))
+        custom_configuration: nginx_custom_configuration(app_info),
+        access: nginx_access(app_info))
       notifies :reload, resources(service: "nginx")
     end
 

vendor/cookbooks/rails/recipes/passenger.rb

@@ -142,7 +142,8 @@
         redirect_domain_names: app_info["redirect_domain_names"],
         client_max_body_size: app_info["client_max_body_size"],
         enable_ssl: enable_ssl,
-        custom_configuration: nginx_custom_configuration(app_info))
+        custom_configuration: nginx_custom_configuration(app_info),
+        access: nginx_access(app_info))
       notifies :reload, resources(:service => "nginx")
     end
 

vendor/cookbooks/rails/templates/default/app_nginx.conf.erb

@@ -26,6 +26,7 @@ server {
     proxy_pass http://<%= @name %>;
     <%= @custom_configuration["server_app"] %>
   }
+  <%= render 'nginx/access.erb', variables: { access: @access } %>
   <%= @custom_configuration["server_main"] %>
 }
 
@@ -54,6 +55,7 @@ server {
     proxy_pass http://<%= @name %>;
     <%= @custom_configuration["ssl_app"] %>
   }
+  <%= render 'nginx/access.erb', variables: { access: @access } %>
   <%= @custom_configuration["ssl_main"] %>
 }
 

vendor/cookbooks/rails/templates/default/app_passenger_nginx.conf.erb

@@ -32,7 +32,7 @@ server {
   passenger_app_env <%= @rails_env %>;
 
   <%= "client_max_body_size #{@client_max_body_size};" if @client_max_body_size.to_i != 0 %>
-
+  <%= render 'nginx/access.erb', variables: { access: @access } %>
   <%= @custom_configuration["server_main"] %>
 }
 
@@ -54,8 +54,8 @@ server {
   <%= "client_max_body_size #{@client_max_body_size};" if @client_max_body_size.to_i != 0 %>
 
   server_name <%= @domain_names.join(' ') %>;
-
   root <%= node['rails']['applications_root'] %>/<%= @name %>/current/public;
+  <%= render 'nginx/access.erb', variables: { access: @access } %>
   <%= @custom_configuration["ssl_main"] %>
 }
 

vendor/cookbooks/rails/templates/default/nginx/access.erb

@@ -0,0 +1,9 @@
+<% @access["denied"].each do |denied_address| %>
+  deny <%= denied_address %>;
+<% end %>
+<% @access["allowed"].each do |allowed_address| %>
+  allow <%= allowed_address %>;
+<% end %>
+<% if @access["allowed"].any? %>
+  deny all;
+<% end %>