Sort through the various IP address headers, looking for the IP most likely
to be the address of the actual remote client making this request.
REMOTE_ADDR will be correct if the request is made directly against the Ruby process, on e.g. Heroku. When the
request is proxied by another server like HAProxy or NGINX, the IP address
that made the original request will be put in an X-Forwarded-For header. If
there are multiple proxies, that header may contain a list of IPs. Other
proxy services set the Client-Ip header
instead, so we check that too.
As discussed in this
post about Rails IP Spoofing while the first IP in the list is likely
to be the “originating” IP, it could also have been set by the client
maliciously.
In order to find the first address that is (probably) accurate, we take the
list of IPs, remove known and trusted proxies, and then take the last
address left, which was presumably set by one of those proxies.
# File actionpack/lib/action_dispatch/middleware/remote_ip.rb, line 112
def calculate_ip
# Set by the Rack web server, this is a single value.
remote_addr = ips_from(@req.remote_addr).last
# Could be a CSV list and/or repeated headers that were concatenated.
client_ips = ips_from(@req.client_ip).reverse
forwarded_ips = ips_from(@req.x_forwarded_for).reverse
# +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
# If they are both set, it means that either:
#
# 1) This request passed through two proxies with incompatible IP header
# conventions.
# 2) The client passed one of +Client-Ip+ or +X-Forwarded-For+
# (whichever the proxy servers weren't using) themselves.
#
# Either way, there is no way for us to determine which header is the
# right one after the fact. Since we have no idea, if we are concerned
# about IP spoofing we need to give up and explode. (If you're not
# concerned about IP spoofing you can turn the +ip_spoofing_check+
# option off.)
should_check_ip = @check_ip && client_ips.last && forwarded_ips.last
if should_check_ip && !forwarded_ips.include?(client_ips.last)
# We don't know which came from the proxy, and which from the user
raise IpSpoofAttackError, "IP spoofing attack?! " "HTTP_CLIENT_IP=#{@req.client_ip.inspect} " "HTTP_X_FORWARDED_FOR=#{@req.x_forwarded_for.inspect}"
end
# We assume these things about the IP headers:
#
# - X-Forwarded-For will be a list of IPs, one per proxy, or blank
# - Client-Ip is propagated from the outermost proxy, or is blank
# - REMOTE_ADDR will be the IP that made the request to Rack
ips = [forwarded_ips, client_ips, remote_addr].flatten.compact
# If every single IP option is in the trusted list, just return REMOTE_ADDR
filter_proxies(ips).first || remote_addr
end
