Trusted proxies are configurable #2632

Merged
merged 1 commit into from Feb 7, 2012

Projects

None yet

8 participants

@gsterndale
Contributor

With this change, the default trusted_proxies pattern can be replaced entirely when configured with a Regexp, or appended to when configured with a String.

This allows developers to create a more specific pattern for their network, preventing local clients from being filtered as proxies.


When configured with a Regexp

HelloWorld::Application.config.action_dispatch.trusted_proxies = /1\.2\.3\.4/

The ActionDispatch::RemoteIp middleware instance (and its RemoteIpGetter) will have the Regexp above assigned to its @trusted_proxies instance variable.

/1\.2\.3\.4/

When configured with nil, or not explicitly configured

HelloWorld::Application.config.action_dispatch.trusted_proxies = nil

The default Regexp matching private IP addresses will be assigned to @trusted_proxies.

/(^127\.0\.0\.1$|^(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.)/

When configured with a String

HelloWorld::Application.config.action_dispatch.trusted_proxies = "1.2.3.4"

The String will be combined with the default Regexp matching private IP addresses and assigned to @trusted_proxies.

/(^127\.0\.0\.1$|^(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.)|(1\.2\.3\.4)/
@adamcrown
Contributor

Nice fix. It would certainly solve our problems with getting a users IP when the user, proxy and app server are all on the LAN. We've had to fall back to reading X_FORWARDED_FOR directly.

@Zequez
Zequez commented Nov 13, 2011

Very useful, I hope someone merge it soon ^^

@arunagw
Member
arunagw commented Jan 31, 2012

@gsterndale your PR needs a rebase. I think some cod changes is done in the same file.

@gsterndale
Contributor

Thanks @arunagw rebased.

@arunagw
Member
arunagw commented Feb 7, 2012
@josevalim josevalim merged commit 641359e into rails:master Feb 7, 2012
@courtland
Contributor

Will this be included in 3.2.2 final?

@courtland
Contributor

It would be nice to get this into 3.2.x at some point. I've been monkey-patching this for months. @spastorino can you do anything?

@donaldpiret

Looks like this never made it in to 3.2.16 even though it was merged to master 2 years ago?! confused

@robin850
Member
robin850 commented Feb 5, 2014

@courtland @donaldpiret : If you look at the merge commit, you can see just under the message the releases that include it. Moreover, 3.2.x don't receive any new fixes anymore (apart from security ones).

@donaldpiret

@robin850 Thanks for clarifying, that makes sense!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment