如何在 Rails 4 应用程序中禁用 IP 欺骗检查? [英] How to disable IP Spoofing check in Rails 4 application?
问题描述
我的 Rails 4 应用程序出现以下错误:
I'm getting the following error on my Rails 4 application:
ActionDispatch::RemoteIp::IpSpoofAttackError:IP 欺骗攻击?!HTTP_CLIENT_IP=xx.xx.xx.xx";HTTP_X_FORWARDED_FOR=xx.xx.xx.xx"
ActionDispatch::RemoteIp::IpSpoofAttackError: IP spoofing attack?! HTTP_CLIENT_IP="xx.xx.xx.xx" HTTP_X_FORWARDED_FOR="xx.xx.xx.xx"
我们不需要这种类型的安全检查,所以在谷歌搜索之后我发现了这个:
We don't need this type of security check, so after some Googling around I found this:
https://github.com/rails/rails/issues/10780
当中间代理将用户 IP 地址插入到HTTP_CLIENT_IP 和 HTTP_X_FORWARDED_FOR,这个地址是私有,ActionDispatch::RemoteIp 引发 IpSpoofAttackError例外.
When an intermediate proxy inserts the user IP address both in the HTTP_CLIENT_IP and the HTTP_X_FORWARDED_FOR, and this address is private, ActionDispatch::RemoteIp raises an IpSpoofAttackError exception.
当企业代理在标头中包含用户的 IP 地址时,这通常是私人的.删除私有 IP 地址包含在 HTTP_X_FORWARDED_FOR 中的链可能应该只完成当地址与在中找到的地址不完全匹配时HTTP_CLIENT_IP.如果匹配,那应该是用户的IP地址.
When an enterprise proxy includes the user's IP address in a header, this will commonly be private. Removing private IP addresses from the chain contained in HTTP_X_FORWARDED_FOR should probably be done only when the address is not an exact match of the one found in HTTP_CLIENT_IP. If it is a match, that should be the user's IP address.
例如在以下环境中会发生这种情况:
This happens for example with the following environment:
HTTP_CLIENT_IP:172.17.19.51 HTTP_X_BLUECOAT_VIA:ffffffffffffffffHTTP_X_FORWARDED_FOR: 172.17.19.51 REMOTE_ADDR: xxx.xxx.xxx.xxx (这个将是公共 IP 地址)
HTTP_CLIENT_IP: 172.17.19.51 HTTP_X_BLUECOAT_VIA: ffffffffffffffff HTTP_X_FORWARDED_FOR: 172.17.19.51 REMOTE_ADDR: xxx.xxx.xxx.xxx (this would be a public IP address)
此处提供了修复:
A fix presented here:
作为一种解决方法,我在 config/application.rb 中禁用了此检查:
As a work-around, I've disabled this check in config/application.rb:
config.action_dispatch.ip_spoofing_check = false
config.action_dispatch.ip_spoofing_check = false
然而,这在 Rails 4 中似乎不起作用.新调用是什么,我如何设置它的站点范围?
However this doens't seem to work in Rails 4. What is the new call and how do I set it site wide?
推荐答案
与其关闭警告,不如解决实际问题.这是我对 Rails 告诉您的内容的重新表述:
Rather than turning off the warning, it might be better to fix the actual problem. Here's my rephrasing of what Rails is telling you:
这个请求似乎来自两个不同的反向代理.其中之一将 CLIENT_IP 标头设置为用户的 IP 地址;另一个设置 X_FORWARDED_FOR 标头.其中一个值可能是正确的,另一个可能包含反向代理的 IP,我无法分辨哪个是哪个.我无法可靠地确定此用户的 IP 地址,因此我将拒绝该请求.
This request seems to have come through two different reverse proxies. One of them set the
CLIENT_IPheader to the user's IP address; the other set theX_FORWARDED_FORheader. One of those values is probably correct, the other probably contains the IP of a reverse proxy, and I have no way to tell which is which. I can't reliably determine this user's IP address, so I'm going to reject the request.
正确"的解决方案是停止设置两个标题.为此,您需要追踪它们的来源(我将从您的 Bluecoat 设备开始)并确定它们是否都需要.通常您只会使用其中一种.
The "correct" solution is to stop setting both headers. For that you'll need to track down where they're coming from (I'd start with your Bluecoat device) and find out if they're both needed. Usually you'll only use one or the other.
如果事实证明它们都需要(我见过更奇怪的事情),那么您需要找出首先设置的标头(假设链中有两个代理).然后,您可以编写一个自定义中间件来删除其他 HTTP 标头.
If it turns out they are both needed (I've seen stranger things), then you'll need to find out which header is being set first (assuming there are two proxies in the chain). Then you can write a custom middleware that deletes the other HTTP header.
请参阅 Rails 3 中间件修改请求标头以获取有关如何创建的指示你自己的中间件.在RemoteIp中间件之前插入,把哪个header有bad"值的就清除掉,应该就好了.
See Rails 3 middleware modify request headers for pointers on how to create your own middleware. Insert it before the RemoteIp middleware, clear out whichever header has the "bad" value, and you should be good.
这篇关于如何在 Rails 4 应用程序中禁用 IP 欺骗检查?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
