This project is archived and is in readonly mode.
HTTP_X_FORWARDED_FOR ignored if REMOTE_ADDR is "trusted"
Reported by Alexander Staubo | March 4th, 2009 @ 01:46 PM
Rails breaks HTTP_X_FORWARDED_FOR for proxies that are not on a class-C net. This is common for sites that use a transparent firewall that don't use a DMZ-style, NAT-based network topology, but where each node has a public IP.
This means the proxy's legitimate HTTP_X_FORWARDED_FOR header is simply ignored, and the proxy's own IP is returned. Nicely done.
In our case, every machine in the cluster is identically configured and capable of being a proxy. Therefore, our only option is to modify TRUSTED_PROXIES at runtime to include the correct IP range. That's an ugly solution, and the proper solution might be to replace the constant with a freely modifiable list.
Comments and changes to this ticket
-
CancelProfileIsBroken August 5th, 2009 @ 02:27 PM
- Tag changed from “proxy, request” to “bugmash, proxy, request”
-
Elise Huard August 9th, 2009 @ 12:13 PM
if i understand correctly, the problem occurs in the remote_ip method of the Request class (actionpack/lib/action_dispatch/http/request.rb).
The fact that the proxies' address is not a local network address (as determined by TRUSTED_PROXIES), but a public one, adds it to the HTTP_X_FORWARDED_FOR, and so this becomes the returned remote ip address - which makes the latter pretty useless.
I'm going to have a look at a possible solution. -
Felipe Talavera August 9th, 2009 @ 01:18 PM
Here, it's the patch with the test.
Finally, I addeed the ActionController::Base.local_trusted_proxies config option that can be set with a regex to match the TRUSTED_PROXIES with a public ip.
-
Rizwan Reza August 9th, 2009 @ 04:01 PM
verified
+1 This patch applies cleanly to 2-3-stable. All tests pass.
-
-
Rizwan Reza August 9th, 2009 @ 04:30 PM
verified
+1 The second patch applies cleanly to master and tests also pass. Good work!
-
Repository August 9th, 2009 @ 04:58 PM
- State changed from “new” to “resolved”
(from [654568e71b1ee36a04acef74b1a8ce4737050882]) Allow to configure trusted proxies via ActionController::Base.trusted_proxies [#2126 state:resolved]
Signed-off-by: Pratik Naik pratiknaik@gmail.com
http://github.com/rails/rails/commit/654568e71b1ee36a04acef74b1a8ce... -
CancelProfileIsBroken August 9th, 2009 @ 05:13 PM
- Tag changed from “bugmash, proxy, request” to “proxy, request”
- Milestone cleared.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
People watching this ticket
CancelProfileIsBroken
Attachments
Referenced by
-
2126
HTTP_X_FORWARDED_FOR ignored if REMOTE_ADDR is "trusted"
(from [654568e71b1ee36a04acef74b1a8ce4737050882])
Allow t...