ssrf_filter plugin: clarify error for hosts resolving only to private IPs
Hey
We (OpenProject) recently shipped SSRF protection for our outbound integrations using an adaptation of this plugin, which reused its error message verbatim. Since then, multiple administrators who run their services on a private network have filed bug reports - all of them read "has no public IP addresses" as a DNS or connectivity failure. None realised the request was intentionally blocked, or that there is a way to allow the host.
We're now switching to the plugin itself (the new :safe_private_ranges option in 1.8.0 lets us drop our adaptation - thanks for that), so the same confusion would apply, and I'd like to propose a clearer version of the error:
#{@origin.host} resolves only to private or reserved IP addresses, which the ssrf_filter plugin blocks by default (use the :safe_private_ranges option to allow specific ranges)
which tells them what happened and how to approach the matter.
Happy to adjust the wording.