New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ActionDispatch::RemoteIp raises IpSpoofAttackError when it should not #10780
Comments
Is this still an issue? If so, I'd encourage you to look into these files: https://github.com/rails/rails/search?q=IpSpoofAttackError&ref=cmdform See if there is a clear place to add a test in either https://github.com/rails/rails/blob/master/railties/test/application/middleware/remote_ip_test.rb or https://github.com/rails/rails/blob/master/actionpack/test/dispatch/request_test.rb Then make a pull request with the failing test that mentions this issue. Then if you can, try out a few different solutions near here: rails/actionpack/lib/action_dispatch/middleware/remote_ip.rb Lines 141 to 152 in 0c7a283
|
I think I am having the same issue. I will eventually do what @nertzy suggested... |
As a work-around, I've disabled this check in
IP spoofing is not a risk for my application anyways. |
The following test case fails in v3.2.13 by raising a
But it doesn't fail with v3.2.14 or current master (4.1.0.beta). So this issue seems to have been closed inadvertedly. I will submit a pull request for the test in case you want to add it for regression testing. |
Add regression test for IpSpoofAttackError issue Closes #10780
Rails 4.2.1 and this appears to still be an issue -
|
I got the same error, but I don't know how to fix it!! |
Got the error from a redmine application : It works using google chrome but not using IE, I guess this is related to our network but seeing the code in remote_ip.rb it should pass since it's in btw 10.132.17.230 is the real client IP trying to access from its browser PS : few minutes later it works ok again from IE |
When an intermediate proxy inserts the user IP address both in the
HTTP_CLIENT_IP
and theHTTP_X_FORWARDED_FOR
, and this address is private, ActionDispatch::RemoteIp raises an IpSpoofAttackError exception.When an enterprise proxy includes the user's IP address in a header, this will commonly be private. Removing private IP addresses from the chain contained in
HTTP_X_FORWARDED_FOR
should probably be done only when the address is not an exact match of the one found inHTTP_CLIENT_IP
. If it is a match, that should be the user's IP address.This happens for example with the following environment:
HTTP_CLIENT_IP
: 172.17.19.51HTTP_X_BLUECOAT_VIA
: ffffffffffffffffHTTP_X_FORWARDED_FOR
: 172.17.19.51REMOTE_ADDR
: xxx.xxx.xxx.xxx (this would be a public IP address)The text was updated successfully, but these errors were encountered: