Project

General

Profile

Feature #30779

Use ActionDispatch::RemoteIp when working as a reverse proxy

Added by Ewoud Kohl van Wijngaarden about 1 year ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Category:
Settings
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:

Description

The ActionDispatch::RemoteIp middleware can provide the remote IP correctly as a property of the request object. It has an option to provide a list of trusted reverse proxies which needs to be exposed to the user. The installer should also expose this. It only needs to be in settings.yaml since middleware can't dynamically reload config.

This will replace the existing IpFromRequestEnv concern so it can be used application wide.

https://api.rubyonrails.org/classes/ActionDispatch/RemoteIp.html


Related issues

Related to Foreman - Bug #32019: all requests are logged as coming from 127.0.0.1 in production.logDuplicate

Associated revisions

Revision 8609ef84 (diff)
Added by Ewoud Kohl van Wijngaarden 7 months ago

Fixes #30779 - Implement ActionDispatch::RemoteIp (#7960)

The ActionDispatch::RemoteIp middleware can provide the remote IP
correctly as a property of the request object. This looks at
X-Forwarded-For headers while stripping out reverse proxies and falls
back to REMOTE_ADDR.

It has an option to provide a list of trusted reverse proxies which
needs to be exposed to the user. This option is exposed via a setting
which the installer can set. It needs to be in settings.yaml since
middleware can't dynamically reload config.

This middleware is enabled by default in Rails, which is an odd choice
because it actually opens up a security risk, as noted in its
documentation. Technically the best choice would be to disable the
middleware if running without a reverse proxy (like with Passenger).

It should also be noted that while there appears to be spoofing
protection inside the middleware, it doesn't actually work since the
Client-Ip is never set in our deployments.

This commit also consistently uses request.remote_ip to obtain the IP.

After this change, the remote_addr setting is no longer needed and also
no longer makes sense.

Co-authored-by: Marek Hulán <>

Co-authored-by: Marek Hulán <>

History

#1 Updated by The Foreman Bot about 1 year ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/7960 added

#2 Updated by Ewoud Kohl van Wijngaarden 7 months ago

  • Related to Bug #32019: all requests are logged as coming from 127.0.0.1 in production.log added

#3 Updated by The Foreman Bot 7 months ago

  • Fixed in Releases 2.5.0 added

#4 Updated by Ewoud Kohl van Wijngaarden 7 months ago

  • Status changed from Ready For Testing to Closed

#5 Updated by The Foreman Bot 7 months ago

  • Pull request https://github.com/theforeman/foreman/pull/8405 added

#6 Updated by Amit Upadhye 7 months ago

  • Fixed in Releases 2.4.0 added

#7 Updated by Tomer Brisker 7 months ago

  • Fixed in Releases 2.3.4 added
  • Fixed in Releases deleted (2.5.0)

Also available in: Atom PDF