Account Options

  1. Sign in
The old Google Groups will be going away soon.
Switch to the new Google Groups.
Google Groups Home
« Groups Home
Boston Ruby Group
Home
About this group
Apply for group membership
IP Spoofing Failsafe in Rails 2.1?
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   5 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Sean Hussey  
View profile  
 More options Aug 13 2008, 4:25 pm
From: "Sean Hussey" <seanhus...@gmail.com>
Date: Wed, 13 Aug 2008 16:25:49 -0400
Local: Wed, Aug 13 2008 4:25 pm
Subject: IP Spoofing Failsafe in Rails 2.1?
Print | Individual message | Show original | Report this message | Find messages by this author
Hi everyone,

I'm setting up a mongrel cluster behind Apache, and I'm seeing this
error in the production.log:

/!\ FAILSAFE /!\  Wed Aug 13 14:58:44 +0000 2008
  Status: 500 Internal Server Error
  IP spoofing attack?!
HTTP_CLIENT_IP="76.8.71.67"
HTTP_X_FORWARDED_FOR="10.20.1.223"

Huh?

The only reference I could find to this was here:

http://www.ruby-forum.com/topic/154836

Which details a patch here:

http://rails.lighthouseapp.com/attachments/25763/forwarded_client_ip_...

But the patch didn't change anything for me.

Any ideas?

Sean


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Daniel Higginbotham  
View profile  
 More options Aug 13 2008, 4:33 pm
From: Daniel Higginbotham <dan...@flyingmachinestudios.com>
Date: Wed, 13 Aug 2008 16:33:43 -0400
Local: Wed, Aug 13 2008 4:33 pm
Subject: Re: IP Spoofing Failsafe in Rails 2.1?
Print | Individual message | Show original | Report this message | Find messages by this author
Here's the message I got from EngineYard when I asked about this:

> That log message is the result of a bug in Rails 2.1 that is going  
> to be patched in the next release:

> http://rails.lighthouseapp.com/projects/8994/tickets/322-don-t-return...

> It's safe to ignore for now.

Daniel

On Aug 13, 2008, at 4:25 PM, Sean Hussey wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Sean Hussey  
View profile  
 More options Aug 13 2008, 4:46 pm
From: "Sean Hussey" <seanhus...@gmail.com>
Date: Wed, 13 Aug 2008 16:46:31 -0400
Local: Wed, Aug 13 2008 4:46 pm
Subject: Re: IP Spoofing Failsafe in Rails 2.1?
Print | Individual message | Show original | Report this message | Find messages by this author
Heh, well, I can't ignore it because I get a 500 error.  :)  (I forgot
to mention that.)

There's another change mentioned in that ticket that seems to work,
but I have a feeling it's not the best way to handle it.

Thanks,

Sean

On Wed, Aug 13, 2008 at 4:33 PM, Daniel Higginbotham


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Brian Cardarella  
View profile  
 More options Aug 13 2008, 4:51 pm
From: "Brian Cardarella" <bcardare...@gmail.com>
Date: Wed, 13 Aug 2008 16:51:33 -0400
Local: Wed, Aug 13 2008 4:51 pm
Subject: Re: IP Spoofing Failsafe in Rails 2.1?
Print | Individual message | Show original | Report this message | Find messages by this author
Sean,

   If the problem is supposed to be resolved in the next release of
Rails would it make sense to freeze your app and run it on edge to see
if that is the true source of the problem?

- Brian Cardarella


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Decklin Foster  
View profile  
 More options Aug 14 2008, 12:43 pm
From: Decklin Foster <deck...@red-bean.com>
Date: Thu, 14 Aug 2008 12:43:17 -0400
Local: Thurs, Aug 14 2008 12:43 pm
Subject: Re: IP Spoofing Failsafe in Rails 2.1?
Print | Individual message | Show original | Report this message | Find messages by this author

Sean Hussey writes:
> HTTP_CLIENT_IP="76.8.71.67"
> HTTP_X_FORWARDED_FOR="10.20.1.223"

Is this behind some other proxy on your end? I am hitting the same error
and in my case, it's a T-Mobile proxy that's sending Client-IP: (my
phone's internal address on their end... I don't know why they think
I care) and no X-Forwarded-For. Apache dutifully adds X-F-F and then
kaboom. Maybe you have something similar.

I looked up where this came from and found it at

  http://dev.rubyonrails.org/changeset/9124

Which seems well intentioned but wrong. The patch that was linked to
just makes it spoofable again (set Client-IP to whatever you like, and
then inject that IP into your X-F-F). There's no way to guess whether
your trusted proxy adds Client-IP, X-F-F, or both, so this can't be
"secure" without making people configure something.

I just hacked my installation to ignore Client-IP:, since it seems like
the more obsolete one. I think the truly "opinionated" thing would be to
ignore both entirely and only parse Via: ;-)

--
things change.
deck...@red-bean.com


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2012 Google