IP Spoofing Failsafe in Rails 2.1?

59 views
Skip to first unread message

Sean Hussey

unread,
Aug 13, 2008, 4:25:49 PM8/13/08
to boston-r...@googlegroups.com
Hi everyone,

I'm setting up a mongrel cluster behind Apache, and I'm seeing this
error in the production.log:

/!\ FAILSAFE /!\ Wed Aug 13 14:58:44 +0000 2008
Status: 500 Internal Server Error
IP spoofing attack?!
HTTP_CLIENT_IP="76.8.71.67"
HTTP_X_FORWARDED_FOR="10.20.1.223"

Huh?

The only reference I could find to this was here:

http://www.ruby-forum.com/topic/154836

Which details a patch here:

http://rails.lighthouseapp.com/attachments/25763/forwarded_client_ip_with_test.patch

But the patch didn't change anything for me.

Any ideas?

Sean

Daniel Higginbotham

unread,
Aug 13, 2008, 4:33:43 PM8/13/08
to boston-r...@googlegroups.com
Here's the message I got from EngineYard when I asked about this:

> That log message is the result of a bug in Rails 2.1 that is going
> to be patched in the next release:
>
> http://rails.lighthouseapp.com/projects/8994/tickets/322-don-t-return-500-if-client-ip-and-x-forwarded-for-agree
>
> It's safe to ignore for now.

Daniel

Sean Hussey

unread,
Aug 13, 2008, 4:46:31 PM8/13/08
to boston-r...@googlegroups.com
Heh, well, I can't ignore it because I get a 500 error. :) (I forgot
to mention that.)

There's another change mentioned in that ticket that seems to work,
but I have a feeling it's not the best way to handle it.

Thanks,

Sean

Brian Cardarella

unread,
Aug 13, 2008, 4:51:33 PM8/13/08
to boston-r...@googlegroups.com
Sean,

If the problem is supposed to be resolved in the next release of
Rails would it make sense to freeze your app and run it on edge to see
if that is the true source of the problem?

- Brian Cardarella

Decklin Foster

unread,
Aug 14, 2008, 12:43:17 PM8/14/08
to boston-r...@googlegroups.com
Sean Hussey writes:

> HTTP_CLIENT_IP="76.8.71.67"
> HTTP_X_FORWARDED_FOR="10.20.1.223"

Is this behind some other proxy on your end? I am hitting the same error
and in my case, it's a T-Mobile proxy that's sending Client-IP: (my
phone's internal address on their end... I don't know why they think
I care) and no X-Forwarded-For. Apache dutifully adds X-F-F and then
kaboom. Maybe you have something similar.

I looked up where this came from and found it at

http://dev.rubyonrails.org/changeset/9124

Which seems well intentioned but wrong. The patch that was linked to
just makes it spoofable again (set Client-IP to whatever you like, and
then inject that IP into your X-F-F). There's no way to guess whether
your trusted proxy adds Client-IP, X-F-F, or both, so this can't be
"secure" without making people configure something.

I just hacked my installation to ignore Client-IP:, since it seems like
the more obsolete one. I think the truly "opinionated" thing would be to
ignore both entirely and only parse Via: ;-)

--
things change.
dec...@red-bean.com

Reply all
Reply to author
Forward
0 new messages