All geek questions in one place

How to disable IP spoofing checking in a Rails 4 application?

The following error appears in a Rails 4 application:

ActionDispatch :: RemoteIp :: IpSpoofAttackError: IP Spoofing Attack ?! HTTP_CLIENT_IP = "xx.xx.xx.xx" HTTP_X_FORWARDED_FOR = "xx.xx.xx.xx"

We do not need this type of security check, so after some Googling, I found this:

https://github.com/rails/rails/issues/10780

When an intermediate proxy inserts the user's IP address in both HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR, and this address is private, ActionDispatch :: RemoteIp throws an IpSpoofAttackError exception.

When a corporate proxy includes the IP address of the user in the header, this will usually be private. Removing personal IP addresses from the chain contained in HTTP_X_FORWARDED_FOR should probably only be done when the address is not an exact match with the address found in HTTP_CLIENT_IP. If this is a match, it should be the user's IP address.

This happens, for example, with the following environment:

HTTP_CLIENT_IP: 172.17.19.51 HTTP_X_BLUECOAT_VIA: ffffffffffffffff HTTP_X_FORWARDED_FOR: 172.17.19.51 REMOTE_ADDR: xxx.xxx.xxx.xxx (this will be the public IP address)

The fix presented here:

As a job, I disabled this check in config / application.rb:

config.action_dispatch.ip_spoofing_check = false

However, this does not seem to work in Rails 4. What is the new challenge and how to install it on the site?

+6
source share
2 answers

Instead of disabling the warning, it might be better to fix the real problem. Here I rephrase what Rails tells you:

This request seems to have gone through two different reverse proxies. One of them sets the CLIENT_IP header to the CLIENT_IP 's IP address; the other is the X_FORWARDED_FOR header. One of these values ​​is probably correct, the other probably contains the reverse proxy IP, and I cannot say what it is. I cannot reliably determine this IP address of the user, so I will reject the request.

The β€œright” solution is to stop tuning both headers. To do this, you will need to track where they come from (I would start with your Bluecoat device) and find out if both of them are needed. Usually you use only one or the other.

If it turns out that both of them are necessary (I saw unfamiliar things), then you will need to find out which header is given first (provided that there are two proxies in the chain). You can then write your own middleware that will remove the other HTTP header.

See the Rails 3 middleware request headers for pointers on how to create your own middleware. Paste it in front of the RemoteIp middleware, clear which of the headers has a β€œbad” value, and you should be good.

+5
source

config.action_dispatch.ip_spoofing_check should work based on the calling chain for RemoteIp .

You can achieve the same effect by setting config.action_dispatch.trusted_proxies in a regular expression matching all IPv4 addresses .

+2
source

Source: https://habr.com/ru/post/980959/

More articles:


All Articles