Skip to content

Add link-local IP ranges to RemoteIp default proxies #55821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 7, 2025
Merged

Add link-local IP ranges to RemoteIp default proxies #55821

merged 1 commit into from
Oct 7, 2025

Conversation

adam12
Copy link
Contributor

@adam12 adam12 commented Oct 2, 2025
edited
Loading

Motivation / Background

Link-local addresses (169.254.0.0/16 for IPv4 and fe80::/10 for IPv6) should be treated as trusted proxies by default, similar to private IP ranges, since they are non-routable and used for local network communication.

Details

Use of link-local IP addresses in tests were updated to use the 2001:db8::/32 netblock (RFC3849) to prevent conflict with the changes to the trusted proxies.

I went through the blame and can't see why fe80::/8 was chosen for these to begin with.

Additional information

Seen in the wild on an application deployed as an Azure Web Application.

Checklist

Before submitting the PR make sure the following are checked:

  • This Pull Request is related to one change. Unrelated changes should be opened in separate PRs.
  • Commit message has a detailed description of what changed and why. If this PR fixes a related issue include it in the commit message. Ex: [Fix #issue-number]
  • Tests are added or updated if you fix a bug or add a feature.
  • CHANGELOG files are updated for the changed libraries if there is a behavior change or additional feature. Minor bug fixes and documentation changes should not be included.

@rails-bot rails-bot bot added the actionpack label Oct 2, 2025
@adam12 adam12 force-pushed the link-local-remote-ip branch 2 times, most recently from c1bc442 to a206316 Compare October 2, 2025 19:12
@adam12 @byroot
Add link-local IP ranges to RemoteIp default proxies
0a6abea 
Link-local addresses (169.254.0.0/16 for IPv4 and fe80::/10 for IPv6)
should be treated as trusted proxies by default, similar to private
IP ranges, since they are non-routable and used for local network
communication.

Use of link-local IP addresses in tests were updated to use the 2001:db8::/32
netblock (RFC3849) to prevent conflict with the changes to the trusted
proxies.
@byroot byroot force-pushed the link-local-remote-ip branch from a206316 to 0a6abea Compare October 7, 2025 08:40
@byroot byroot merged commit 5d25857 into rails:main Oct 7, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

actionpack

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adam12 @byroot