8

I am developing my first rails 6 app but when I try to serve it in development environment behind my nginx server, I find this message

Blocked host: localhost

I tried adding the configuration mentioned in the error in config/environments/development.rb and in config/application.rb but it didn't work.

I am using rails 6.0.0, ruby 2.6.5, nginx 1.10.3

If I go to http://localhost:3000 (the puma URL directly) it works fine. But I want to know why I am getting this error.

Alejo Dev
  • 2,290
  • 4
  • 29
  • 45

2 Answers2

3

Host Authorization is added because of DNS rebinding attacks here are more details about and also link to more detailed explanation.

Introduce ActionDispatch::HostAuthorization Host Authorization is a new middleware that guards against DNS rebinding attacks by explicitly permitting the hosts a request can be sent to. More information about the attack itself is available in this Medium post and in Daniel Miessler’s DNS Rebinding attack explained. By default it’s set for all Rails 6 applications and allows in development the following hosts IPAddr.new(“0.0.0.0/0”), IPAddr.new(“::/0”), “localhost”] it supports arrays of RegExp, Proc, IPAddr and String or a single String in the configuration. What this means is that with Rails 6, we will need to explicitly set our domains in the environments configuration files. More information is available at the HostAuthoriation code and HostAuthorization tests.

Nezir
  • 6,727
  • 12
  • 54
  • 78
  • 1
    There is no config folder inside app folder, but I understand what you tried to say, I already edited my question because I have had tried adding it to config/environments/development.rb – Alejo Dev Oct 18 '19 at 20:19
  • did you check this explanation? https://www.fngtps.com/2019/rails6-blocked-host/ – Nezir Oct 18 '19 at 20:22
  • 1
    Yes, I read that, but it says localhost is enabled by default, so I think there is a bug somewhere, but, what do I know? I also don't want to disable host checking, I just want to know what's going on Thank you – Alejo Dev Oct 18 '19 at 20:27
  • 2
    Here is also question about: https://github.com/thoughtbot/suspenders/issues/975 and also rails config.hosts implementation: https://github.com/rails/rails/blob/528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309/railties/lib/rails/application/default_middleware_stack.rb#L16 so you can check it bit more maybe you can find some logic. – Nezir Oct 18 '19 at 20:30
3

It was an issue on Rails side.

Upgrade to 6.0.4.4 or 6.1.4.4 like you can read in their blog post.

Rael Gugelmin Cunha
  • 3,327
  • 30
  • 25