My application registers the IP address of each user who logs in, but I noticed that it registers the IP address of our load balancer instead of the actual client ip. Investigating this issue, I believe because our balancing devices use publicly routed IP addresses, and Rails ignores the X-Forwarded-For header, suggesting it was tampered with. The solution is similar to the whitelist of the ip range used by our load balancers.
My question is how to do this for rails 4.1.x? Here's what I have now in config/environments/production.rb:
config.action_dispatch.custom_proxies = %r{
^100\.30 |
^200\.40 |
}x
I tried to format it as TRUSTED_PROXIES in the remote_ip.rb file, but maybe it should be a string or an array, or else a formatted regular expression? Any help on the details is greatly appreciated. Upvote bonus if you can offer an integration test that will cause this configuration to break in a future version of rails. :-)
UPDATE
I tried several ways to update this, and had a bit more success using config.action_dispatch.trusted_proxies. This causes my load balancers to register, but leaves all the IP addresses registered as "127.0.0.1", regardless of whether they are internal or external. In logs / unicorn.log, the ip addresses come in as [external address, address 10. *, load balancing address], so I know that the problem is with the level of racks or rails, and not earlier in apache or nginx. I also tried replacing the TRUSTED_PROXIES constant with a list that does not include range 10. * (because internal users have this range), but without a visible effect.
, Rails 4.1.x , , IP- , IP-.