This project is archived and is in readonly mode.

#2126 ✓resolved
Alexander Staubo

HTTP_X_FORWARDED_FOR ignored if REMOTE_ADDR is "trusted"

Reported by Alexander Staubo | March 4th, 2009 @ 01:46 PM

Rails breaks HTTP_X_FORWARDED_FOR for proxies that are not on a class-C net. This is common for sites that use a transparent firewall that don't use a DMZ-style, NAT-based network topology, but where each node has a public IP.

This means the proxy's legitimate HTTP_X_FORWARDED_FOR header is simply ignored, and the proxy's own IP is returned. Nicely done.

In our case, every machine in the cluster is identically configured and capable of being a proxy. Therefore, our only option is to modify TRUSTED_PROXIES at runtime to include the correct IP range. That's an ugly solution, and the proper solution might be to replace the constant with a freely modifiable list.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

People watching this ticket


Referenced by