Attack prevented by Rack::Protection::HostAuthorization?!

Questions / Help
1

Hello Fly Friends!

I just did a quick lil bundle update on a super simple Sinatra App that has been running without issue for a few months now. After the bundle update and deploy, it now only displays this when I hit the url:

Host not permitted

When I check the logs I see this:

WARN -- : attack prevented by Rack::Protection::HostAuthorization

But for the life of me, I can’t figure out how or why that started happening. I figured it could possibly be because of an upgrade to Sinatra, but I only went from 4.0.0 to 4.1.1, and I wouldn’t expect some a significant change from such a minor update.

I did not enable Rack::Protection in anyway and I can’t figure out how to turn it off.

I have looked at many different resources including the Sinatra docs here:

None of my attempts at implementing a work around seem to work. I have tried this:

configure do
  disable :protection
end

That did not help, same error message.

I have tried this:

configure :production do
  use Rack::Protection::HostAuthorization, permitted_hosts: ["poopypants.net"]
end

That did not help, same error message.

And the weird thing is that the Sinatra docs make it seem like I would need to explicitly tell my application to use Rack::Protection to get this kind of functionality but nothing else has changed with my app. I literally just ran a bundle update on this Gemfile…

source 'https://rubygems.org'

ruby '3.3.0'

gem 'sinatra'
gem 'puma'
gem 'rackup'
gem 'poopypants'

Committed those changes, deployed, made no difference.

Then, it a moment of desperation I thought maybe I could upgrade my ruby version from 3.0.0 to 3.3.5, which worked just fine locally. But then when I tried to deploy that I keep getting this error:

 => ERROR [4/5] RUN bundle install                                                                                                        2.2s
------                                                                                                                                         
 > [4/5] RUN bundle install:                                                                                                                   
0.235 Bundler 2.5.3 is running, but your lockfile was generated with 2.5.23. Installing Bundler 2.5.23 and restarting using that version.      
1.431 Fetching gem metadata from https://rubygems.org/.                                                                                        
1.472 Fetching bundler 2.5.23                                                                                                                  
1.608 Installing bundler 2.5.23
2.125 Your Ruby version is 3.3.0, but your Gemfile specified 3.3.5
------
Error: failed to fetch an image or build from source: error building: failed to solve: process "/bin/sh -c bundle install" did not complete successfully: exit code: 18

Which is weird because I changed the value in my .ruby-version file and I changed the value in my Gemfile, but still Fly keeps saying “Your Ruby version is 3.3.0” and I can’t figure out how or why this is the case.

And at this point I am simply floundering, not sure what to make of any of this anymore. I was hoping to just to a simple minor bundle update and it has destroyed everything.

Thoughts?!?!?!

2

Since I spent most of the day troubleshooting this exact same issue, and failing at the exact same things you tried, I thought I’d share what worked for me. Setting environment to production, either through a variable (APP_ENV=production) or through configuration ( set :environment, :production) did the trick for me. There must be something that limits hostname to localhost regardless of other settings when in the default development environment.

2 Likes
3

Matt! Thanks so much for the response!

I’ll give that a shot and report back. :pray:

4

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.