diff options
| author | Andre Arko <andre@arko.net> | 2013-01-02 15:21:13 -0800 |
|---|---|---|
| committer | Andre Arko <andre@arko.net> | 2013-01-02 15:26:27 -0800 |
| commit | 75dcdbc84e53cd824c4f1c3e4cb82c40f27010c8 (patch) | |
| tree | 255a7267c3679a0d8f4ec7ffdb01505858819448 /guides/source | |
| parent | 9f200fb296da721d50af53712d1e7998a5140e76 (diff) | |
| download | rails-75dcdbc84e53cd824c4f1c3e4cb82c40f27010c8.tar.gz rails-75dcdbc84e53cd824c4f1c3e4cb82c40f27010c8.tar.bz2 rails-75dcdbc84e53cd824c4f1c3e4cb82c40f27010c8.zip | |
Restore original remote_ip algorithm.
Proxy servers add X-Forwarded-For headers, resulting in a list of IPs. We
remove trusted IP values, and then take the last given value, assuming that
it is the most likely to be the correct, unfaked value. See [1] for a very
thorough discussion of why that is the best option we have at the moment.
[1]: http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/
Fixes #7979
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/configuring.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/guides/source/configuring.md b/guides/source/configuring.md index 6e93932d49..5fe8e2fba6 100644 --- a/guides/source/configuring.md +++ b/guides/source/configuring.md @@ -197,7 +197,7 @@ Every Rails application comes with a standard set of middleware which it uses in * `Rails::Rack::Logger` notifies the logs that the request has began. After request is complete, flushes all the logs. * `ActionDispatch::ShowExceptions` rescues any exception returned by the application and renders nice exception pages if the request is local or if `config.consider_all_requests_local` is set to `true`. If `config.action_dispatch.show_exceptions` is set to `false`, exceptions will be raised regardless. * `ActionDispatch::RequestId` makes a unique X-Request-Id header available to the response and enables the `ActionDispatch::Request#uuid` method. -* `ActionDispatch::RemoteIp` checks for IP spoofing attacks. Configurable with the `config.action_dispatch.ip_spoofing_check` and `config.action_dispatch.trusted_proxies` settings. +* `ActionDispatch::RemoteIp` checks for IP spoofing attacks and gets valid `client_ip` from request headers. Configurable with the `config.action_dispatch.ip_spoofing_check`, and `config.action_dispatch.trusted_proxies` options. * `Rack::Sendfile` intercepts responses whose body is being served from a file and replaces it with a server specific X-Sendfile header. Configurable with `config.action_dispatch.x_sendfile_header`. * `ActionDispatch::Callbacks` runs the prepare callbacks before serving the request. * `ActiveRecord::ConnectionAdapters::ConnectionManagement` cleans active connections after each request, unless the `rack.test` key in the request environment is set to `true`. |