Is there anyway to make a Rails / Rack application tell the web server to drop the connection
There are many security reasons why one would want to drop an HTTP connection with no response (eg. OWASP's SSL best practices). When these can be detected at the server level then it's no big deal. However, what if you ca开发者_开发问答n only detect this condition at the application level?
Does Rails, or more generally Rack, have any standard way of telling the server to drop the connection without a response? If not, are there some standard headers to pass in that will accomplish that in common web servers (I'm thinking Nginx or Apache)? Even if there is not a standard header is there a reasonable way to configure that behavior? Is this a fool's errand?
Nginx has a mechanism for this. When you are returning a special status code 444 (it's non-standard), Nginx silently drops the connection. This happens only when you return this code from the Nginx config, i.e. like
location = /drop {
return 444;
}
and you cannot return this status code from your application. The workaround is to return X-Accel-Redirect: /drop
header from the app to tell Nginx use /drop
location for this request.
I could be wrong but I don't think Rack or Rails provide a way to drop a connection. I think the closest might be something like "render :nothing => true". But even that ironically sends something (A single space, apparently to avoid a Safari bug...) but at least its terminating the request rather than redirecting (having the client initiate a new request) as the OWASP warns against.
class TestController < ApplicationController
def nothing
render :nothing => true
end
end
>> app.get('test/nothing')
=> 200
>> app.response.body
=> " "
I hope that helps.
Would you please elaborate on what you mean by "dropping a connection"? If sending back headers with whatever response code you want (Moved, Unauthorized, Not Found) is okay - you already got the answer (render :noting, or :head). You can add :status => some_status.
If you mean dropping connection on TCP/IP level, as do firewalls, well that's another thing. I doubt this is possible. And I don't think advisable (if possible).
And on the page you posted link to "dropping connection" is used as a synonym to refuse HTTPS connection - means render some response with status Unauthorized or something like that.
精彩评论