Better errors works with localhost but not ngrok

[illegalnumbers]

Not sure on other proxying services, but when I throw an exception in my application and load the page using localhost:3000 better errors loads as expected. When I do the same in ngrok however I don't see the better errors page, I just see the standard Rails error page. Not sure what I'm doing wrong to configure that or why that would be occurring in the first place.

[joryhatton]

👍

I'm using a Procfile and utilizing Foreman and Forward. I'm still seeing the standard error pages as well.

[manafire]

I encountered the same issue so I added a feature that allows for domain specification. Use it by adding this to your development.rb:

BetterErrors::Middleware.allow_domain! ENV['trusted_domain'] if ENV['trusted_domain']

trusted_domain is specified when you start the server: trusted_domain=my_address.ngrok.io rails s, (where my_address is whatever ngrok subdomain you have, of course) or you can use something like Figaro and specify it in a application.yml file like I do.

I'll submit a pull request but for now, you'll have to modify your Gemfile to point to my fork:

group :development do
  gem 'better_errors', git: 'git@github.com:manafire/better_errors.git', branch: 'allow_domain'
end

[illegalnumbers]

That's awesome! Great content for a pull request. I'm jealous that I didn't do it first!

[Katee]

Apologies for reviving an old issue.

Are you sure this is something you want to do? It is putting a lot of trust in @inconshreveable (the creator of ngrok), possibly anyone on your local wifi (depending on the specifics of the network you are on/if you are using a VPN/etc), any machine your DNS request pass through to get the IP for ngrok, and likely others.

Domain information (whatever.ngrok.com) is not really secret, even if you use the HTTPS ngrok url the subdomain is leaked because DNS requests are usually unencrypted and the domain is included as the server name indicator for TLS.

If the ngrok subdomain is known to an attacker and you have better_errors running and the attacker can trigger an error in your app they would be able to do anything as the user who is running your server. Unless you run your server as a unprivileged user (good idea) or have it running in a VM (also great) this means an attacker can do things your account can do (view/edit your files, install programs, anything).

Seems 🔥 really bad 🔥 for little to no upside.

[themgt]

So I think really what's wrong here is the README doc which says:

Tip: You can find your apparent IP by hitting the old error page's "Show env dump" and looking at "REMOTE_ADDR".

This confused me because with a tunnel service, the REMOTE_ADDR is still 127.0.0.1. In fact the better_errors Middleware is using request.ip, which has a more complex definition such that your forwarded address is what gets set: http://stackoverflow.com/questions/10997005/whats-the-difference-between-request-remote-ip-and-request-ip-in-rails

Anyway, the solution I came up with is in my development.rb to put:

BetterErrors::Middleware.allow_ip!(open('http://ipecho.net/plain').read)

On app boot this adds my current remote IP to the allowed list, and better_errors works locally. Won't show up for anyone else you give your ngrok address to, but then you likely don't want it to.

[hakunin]

Hey I'm using ngrok and http auth in order to protect my app.
Is there a way to use better errors (maybe without the repl) when I'm logged in?

[paulodeon]

This would now be

BetterErrors::Middleware.allow_ip!(URI.open("https://ipecho.net/plain").read)