Class: ActionDispatch::RemoteIp::GetIp
- Defined in:
- actionpack/lib/action_dispatch/middleware/remote_ip.rb
Overview
The GetIp class exists as a way to defer processing of the request data into an actual IP address. If the ActionDispatch::Request#remote_ip method is called, this class will calculate the value and then memoize it.
Instance Method Summary collapse
-
#calculate_ip ⇒ Object
Sort through the various IP address headers, looking for the IP most likely to be the address of the actual remote client making this request.
-
#initialize(req, check_ip, proxies) ⇒ GetIp
constructor
A new instance of GetIp.
-
#to_s ⇒ Object
Memoizes the value returned by #calculate_ip and returns it for ActionDispatch::Request to use.
Constructor Details
#initialize(req, check_ip, proxies) ⇒ GetIp
Returns a new instance of GetIp.
97 98 99 100 101 |
# File 'actionpack/lib/action_dispatch/middleware/remote_ip.rb', line 97 def initialize(req, check_ip, proxies) @req = req @check_ip = check_ip @proxies = proxies end |
Instance Method Details
#calculate_ip ⇒ Object
Sort through the various IP address headers, looking for the IP most likely to be the address of the actual remote client making this request.
REMOTE_ADDR will be correct if the request is made directly against the Ruby process, on e.g. Heroku. When the request is proxied by another server like HAProxy or NGINX, the IP address that made the original request will be put in an X-Forwarded-For
header. If there are multiple proxies, that header may contain a list of IPs. Other proxy services set the Client-Ip
header instead, so we check that too.
As discussed in this post about Rails IP Spoofing, while the first IP in the list is likely to be the “originating” IP, it could also have been set by the client maliciously.
In order to find the first address that is (probably) accurate, we take the list of IPs, remove known and trusted proxies, and then take the last address left, which was presumably set by one of those proxies.
121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 |
# File 'actionpack/lib/action_dispatch/middleware/remote_ip.rb', line 121 def calculate_ip # Set by the Rack web server, this is a single value. remote_addr = ips_from(@req.remote_addr).last # Could be a CSV list and/or repeated headers that were concatenated. client_ips = ips_from(@req.client_ip).reverse! forwarded_ips = ips_from(@req.x_forwarded_for).reverse! # +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set. # If they are both set, it means that either: # # 1) This request passed through two proxies with incompatible IP header # conventions. # 2) The client passed one of +Client-Ip+ or +X-Forwarded-For+ # (whichever the proxy servers weren't using) themselves. # # Either way, there is no way for us to determine which header is the # right one after the fact. Since we have no idea, if we are concerned # about IP spoofing we need to give up and explode. (If you're not # concerned about IP spoofing you can turn the +ip_spoofing_check+ # option off.) should_check_ip = @check_ip && client_ips.last && forwarded_ips.last if should_check_ip && !forwarded_ips.include?(client_ips.last) # We don't know which came from the proxy, and which from the user raise IpSpoofAttackError, "IP spoofing attack?! " \ "HTTP_CLIENT_IP=#{@req.client_ip.inspect} " \ "HTTP_X_FORWARDED_FOR=#{@req.x_forwarded_for.inspect}" end # We assume these things about the IP headers: # # - X-Forwarded-For will be a list of IPs, one per proxy, or blank # - Client-Ip is propagated from the outermost proxy, or is blank # - REMOTE_ADDR will be the IP that made the request to Rack ips = forwarded_ips + client_ips ips.compact! # If every single IP option is in the trusted list, return the IP # that's furthest away filter_proxies(ips + [remote_addr]).first || ips.last || remote_addr end |
#to_s ⇒ Object
Memoizes the value returned by #calculate_ip and returns it for ActionDispatch::Request to use.
165 166 167 |
# File 'actionpack/lib/action_dispatch/middleware/remote_ip.rb', line 165 def to_s @ip ||= calculate_ip end |