ruby-on-rails - 如何在Rails 4应用程序中禁用IP欺骗检查？

Question

我在Rails 4应用程序中遇到以下错误:

ActionDispatch::RemoteIp::IpSpoofAttackError: IP spoofing attack?! HTTP_CLIENT_IP="xx.xx.xx.xx" HTTP_X_FORWARDED_FOR="xx.xx.xx.xx"

我们不需要这种类型的安全检查，因此经过一番谷歌搜索之后，我发现了这一点:
https://github.com/rails/rails/issues/10780

When an intermediate proxy inserts the user IP address both in theHTTP_CLIENT_IP and the HTTP_X_FORWARDED_FOR, and this address isprivate, ActionDispatch::RemoteIp raises an IpSpoofAttackErrorexception.

When an enterprise proxy includes the user's IP address in a header,this will commonly be private. Removing private IP addresses from thechain contained in HTTP_X_FORWARDED_FOR should probably be done onlywhen the address is not an exact match of the one found inHTTP_CLIENT_IP. If it is a match, that should be the user's IPaddress.

This happens for example with the following environment:

HTTP_CLIENT_IP: 172.17.19.51 HTTP_X_BLUECOAT_VIA: ffffffffffffffffHTTP_X_FORWARDED_FOR: 172.17.19.51 REMOTE_ADDR: xxx.xxx.xxx.xxx (thiswould be a public IP address)

此处提供的修复程序:

As a work-around, I've disabled this check in config/application.rb:

config.action_dispatch.ip_spoofing_check = false

但是，这似乎在Rails 4中不起作用。什么是新调用？如何在整个站点范围内设置新调用？

Answer 1

最好是解决实际问题，而不是关闭警告。这是我对Rails告诉您的内容的改写:

This request seems to have come through two different reverse proxies. One of them set the CLIENT_IP header to the user's IP address; the other set the X_FORWARDED_FOR header. One of those values is probably correct, the other probably contains the IP of a reverse proxy, and I have no way to tell which is which. I can't reliably determine this user's IP address, so I'm going to reject the request.

“正确”的解决方案是停止设置两个 header 。为此，您需要跟踪它们的来源(我将从您的Bluecoat设备开始)，并找出它们是否都需要。通常，您只会使用其中一个。

如果事实证明它们都是必需的(我看过一些奇怪的东西)，那么您将需要找出首先设置了哪个 header (假设链中有两个代理)。然后，您可以编写一个自定义中间件来删除另一个HTTP header 。

有关如何创建自己的中间件的指针，请参见 Rails 3 middleware modify request headers。将其插入RemoteIp中间件之前，清除任何具有“坏”值的 header ，那么您应该不错。