2015-01-14 43 views

我發現了以下錯誤在我的Rails應用4:如何在Rails 4應用程序中禁用IP欺騙檢查?

ActionDispatch::RemoteIp::IpSpoofAttackError: IP spoofing attack?! HTTP_CLIENT_IP="xx.xx.xx.xx" HTTP_X_FORWARDED_FOR="xx.xx.xx.xx"



When an intermediate proxy inserts the user IP address both in the HTTP_CLIENT_IP and the HTTP_X_FORWARDED_FOR, and this address is private, ActionDispatch::RemoteIp raises an IpSpoofAttackError exception.

When an enterprise proxy includes the user's IP address in a header, this will commonly be private. Removing private IP addresses from the chain contained in HTTP_X_FORWARDED_FOR should probably be done only when the address is not an exact match of the one found in HTTP_CLIENT_IP. If it is a match, that should be the user's IP address.

This happens for example with the following environment:

HTTP_CLIENT_IP: HTTP_X_BLUECOAT_VIA: ffffffffffffffff HTTP_X_FORWARDED_FOR: REMOTE_ADDR: xxx.xxx.xxx.xxx (this would be a public IP address)


As a work-around, I've disabled this check in config/application.rb:

config.action_dispatch.ip_spoofing_check = false

然而,這似乎並沒有在Rails 4中工作。什麼是新的電話,我如何設置它的網站範圍?




This request seems to have come through two different reverse proxies. One of them set the CLIENT_IP header to the user's IP address; the other set the X_FORWARDED_FOR header. One of those values is probably correct, the other probably contains the IP of a reverse proxy, and I have no way to tell which is which. I can't reliably determine this user's IP address, so I'm going to reject the request.



有關如何創建自己的中間件的指示信息,請參閱Rails 3 middleware modify request headers。將它插入RemoteIp中間件之前,清除哪個標頭具有「壞」值,並且您應該很好。