ActionDispatch::RemoteIp::IpSpoofAttackError: IP spoofing attack?! HTTP_CLIENT_IP=”xx.xx.xx.xx” HTTP_X_FORWARDED_FOR=”xx.xx.xx.xx”
我们不需要这种类型的安全检查,所以经过一些谷歌搜索我发现:
https://github.com/rails/rails/issues/10780
When an intermediate proxy inserts the user IP address both in the
HTTP_CLIENT_IP and the HTTP_X_FORWARDED_FOR,and this address is
private,ActionDispatch::RemoteIp raises an IpSpoofAttackError
exception.When an enterprise proxy includes the user’s IP address in a header,
this will commonly be private. Removing private IP addresses from the
chain contained in HTTP_X_FORWARDED_FOR should probably be done only
when the address is not an exact match of the one found in
HTTP_CLIENT_IP. If it is a match,that should be the user’s IP
address.This happens for example with the following environment:
HTTP_CLIENT_IP: 172.17.19.51 HTTP_X_BLUECOAT_VIA: ffffffffffffffff
HTTP_X_FORWARDED_FOR: 172.17.19.51 REMOTE_ADDR: xxx.xxx.xxx.xxx (this
would be a public IP address)
这里有一个修复:
As a work-around,I’ve disabled this check in config/application.rb:
config.action_dispatch.ip_spoofing_check = false
然而,这似乎不适用于Rails 4.什么是新的调用,如何在网站范围内设置它?
解决方法
This request seems to have come through two different reverse proxies. One of them set the
CLIENT_IPheader to the user’s IP address; the other set theX_FORWARDED_FORheader. One of those values is probably correct,the other probably contains the IP of a reverse proxy,and I have no way to tell which is which. I can’t reliably determine this user’s IP address,so I’m going to reject the request.
“正确”的解决方案是停止设置两个标题.为此,你需要追踪他们来自哪里(我从你的Bluecoat设备开始)并找出他们是否都需要.通常你只会使用其中一个.
如果事实证明它们都是需要的(我已经看到了陌生的东西),那么你需要找出首先设置哪个头(假设链中有两个代理).然后,您可以编写一个删除其他HTTP标头的自定义中间件.
有关如何创建自己的中间件的指示,请参阅Rails 3 middleware modify request headers.在RemoteIp中间件之前插入它,清除哪个标题有“坏”值,你应该是好的.