|
|
Some proxies seem to be setting the Client-IP HTTP header to 127.0.0.1.
Rails checks that Client-IP is contained in X-Forwarded-For and raises
the error.
We decided to rescue in this individual case rather than adding a
middleware to strip Client-IP
(http://writeheavy.com/2011/07/31/when-its-ok-to-turn-of-rails-ip-spoof-checking.html#well_thats_stupid_can_we_turn_it_off)
so that we don't introduce unexpected behaviour. If we start to do anything
more with request.remote_ip, then we should look at doing so.
See
http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection
for an in-depth look at this issue.
|
