ActionDispatch::RemoteIp raises IpSpoofAttackError when it should not

[aredondo]

When an intermediate proxy inserts the user IP address both in the HTTP_CLIENT_IP and the HTTP_X_FORWARDED_FOR, and this address is private, ActionDispatch::RemoteIp raises an IpSpoofAttackError exception.

When an enterprise proxy includes the user's IP address in a header, this will commonly be private. Removing private IP addresses from the chain contained in HTTP_X_FORWARDED_FOR should probably be done only when the address is not an exact match of the one found in HTTP_CLIENT_IP. If it is a match, that should be the user's IP address.

This happens for example with the following environment:

• HTTP_CLIENT_IP: 172.17.19.51
• HTTP_X_BLUECOAT_VIA: ffffffffffffffff
• HTTP_X_FORWARDED_FOR: 172.17.19.51
• REMOTE_ADDR: xxx.xxx.xxx.xxx (this would be a public IP address)

[nertzy]

Is this still an issue? If so, I'd encourage you to look into these files: https://github.com/rails/rails/search?q=IpSpoofAttackError&ref=cmdform

See if there is a clear place to add a test in either https://github.com/rails/rails/blob/master/railties/test/application/middleware/remote_ip_test.rb or https://github.com/rails/rails/blob/master/actionpack/test/dispatch/request_test.rb

Then make a pull request with the failing test that mentions this issue. Then if you can, try out a few different solutions near here:

rails/actionpack/lib/action_dispatch/middleware/remote_ip.rb

Lines 141 to 152 in 0c7a283

	# +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
	# If they are both set, it means that this request passed through two
	# proxies with incompatible IP header conventions, and there is no way
	# for us to determine which header is the right one after the fact.
	# Since we have no idea, we give up and explode.
	should_check_ip = @check_ip && client_ips.last
	if should_check_ip && !forwarded_ips.include?(client_ips.last)
	# We don't know which came from the proxy, and which from the user
	raise IpSpoofAttackError, "IP spoofing attack?! " +
	"HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect} " +
	"HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect}"
	end

[fbernier]

I think I am having the same issue. I will eventually do what @nertzy suggested...

[aredondo]

As a work-around, I've disabled this check in config/application.rb:

config.action_dispatch.ip_spoofing_check = false

IP spoofing is not a risk for my application anyways.

[aredondo]

The following test case fails in v3.2.13 by raising a ActionDispatch::RemoteIp::IpSpoofAttackError exception:

  actionpack/test/dispatch/request_test.rb:
  test "remote ip spoof protection ignores private addresses" do
    request = stub_request 'HTTP_X_FORWARDED_FOR' => '172.17.19.51',
                           'HTTP_CLIENT_IP'       => '172.17.19.51',
                           'REMOTE_ADDR'          => '1.1.1.1',
                           'HTTP_X_BLUECOAT_VIA'  => 'ed462f07c2ea325e'
    assert_equal '1.1.1.1', request.remote_ip
  end

But it doesn't fail with v3.2.14 or current master (4.1.0.beta). So this issue seems to have been closed inadvertedly.

I will submit a pull request for the test in case you want to add it for regression testing.

[defeated]

Rails 4.2.1 and this appears to still be an issue -

ActionDispatch::RemoteIp::IpSpoofAttackError: IP spoofing attack?!
HTTP_CLIENT_IP="10.50.18.89"
HTTP_X_FORWARDED_FOR="98.172.147.131"

…pack-4.2.1/lib/action_dispatch/middleware/remote_ip.rb: 125:in `calculate_ip'
…pack-4.2.1/lib/action_dispatch/middleware/remote_ip.rb: 144:in `to_s'
…s/actionpack-4.2.1/lib/action_dispatch/http/request.rb: 231:in `remote_ip'

[xumc]

I got the same error, but I don't know how to fix it!!

[DeepSnowNeeL]

Got the error from a redmine application :
ActionDispatch::RemoteIp::IpSpoofAttackError (IP spoofing attack?! HTTP_CLIENT_IP="10.132.17.230" HTTP_X_FORWARDED_FOR="10.154.37.204"):
app/controllers/account_controller.rb:255:in successful_authentication' app/controllers/account_controller.rb:203:inpassword_authentication'
app/controllers/account_controller.rb:189:in authenticate_user' app/controllers/account_controller.rb:40:inlogin'
lib/redmine/sudo_mode.rb:63:in `sudo_mode'

It works using google chrome but not using IE, I guess this is related to our network but seeing the code in remote_ip.rb it should pass since it's in TRUSTED_PROXIES "10.0.0.0/8", # private IPv4 range 10.x.x.x

btw 10.132.17.230 is the real client IP trying to access from its browser
10.154.37.204 is probably a router or proxy

PS : few minutes later it works ok again from IE