Skip to content

X-Forwarded-For ignored when "trusted" #1010

lighthouse-import opened this Issue May 16, 2011 · 2 comments

3 participants


Imported from Lighthouse. Original ticket at:
Created by jaswope - 2011-04-08 14:28:54 UTC

ActionDispatch:RemoteIp ignores X-Forwarded-For if all of the IPs it contains are considered trusted proxies. This list includes localhost and all private addresses.

This impacts applications that are hosted behind a reverse proxy (proxying to localhost) and accessed from a private IP, such as intranet applications. Aside from making the remote ip detection incorrect, this causes problems with ActionDispatch::Request.local?, causing it to incorrectly return true, which in turn causes default configurations of Rails apps to show stack traces when they shouldn't.

The offending line appears to be here:

Perhaps it should fall back to the last ip in the forwarded for chain instead:

return forwarded_ips.reject { |ip| ip =~ @trusted_proxies }.last || forwarded_ips.last

I'm not sure why this was closed. It looks like it was automatically closed after the move from Lighthouse. But I'm still experiencing this issue.

It seems to me that it should simply be the first IP in the forwarded_ips array that should be grabbed. I don't see why all of the trusted ranges should be rejected since the client could be coming from one of the trusted IP ranges.

return forwarded_ips.first || @env["REMOTE_ADDR"]

As far as I know, is now configurable using config.action_dispatch.trusted_proxies=.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.