When I reflect
render text: request.remote_ip
it returns 18.104.22.168 for following code:
So I am not sure why we need raise IpSpoofAttackError, how exactly it's supposed to protect me? Probably I must use .ip instead of remote_ip if I don't have a proxy server?
If we have a proxy server appending real IP to X-Forwarded-For, IpSpoofAttackError is not helpful.
If we don't have it, IpSpoofAttackError is not helpful too, becuase we can simply set our own X-Forwarded-For w/o Client-Ip.
Can someone please explain how is it helping?
Solution: Use PHP ;)
joernchen: this doesn't work.
Since it doesn't work can someone remove that IP spoofing error? It only scares, doesn't mitigate.
This don't work ? @env["REMOTE_ADDR"]
@pwnsdx no, and I don't see how it can help in any situation. It's still easy to set X-F-For
I found an workaround: https://stackoverflow.com/questions/10997005/whats-the-difference-between-request-remote-ip-and-request-ip-in-rails#comment24733353_10997322
I think the actual only way to fix this, is at the web server level.
I don't think IpSpoofAttackError protects against anything. From the code:
rails will raise the exception when encounters a request having both the Client-Ip and X-Forwarded-For headers set. Something that is more likely caused by an ill-behaving proxy.
Exactly. Why we need it then? Remote_ip has no benefits, lets use .ip instead.