Rails ActionController: Difference between request.remote_ip and request.remote_addr
In the ActionController source, local requests are defined as follows:
def local_request? #:d开发者_开发知识库oc:
request.remote_addr == LOCALHOST && request.remote_ip == LOCALHOST
end
In my application, I want to use different logic if requests are coming from a particular IP range. What is the difference between request.remote_addr
and request.remote_ip
, and which one should I use?
I'm the author of the current implementation of remote_ip
, and the other things that it does include checking for IP spoofing attacks, and correctly handling multiple X-Forwarded-For
headers. There's a big caveat, though: only some Ruby web servers support multiple headers, so the value still might be wrong.
I wrote up the results from testing the most popular Ruby app servers on my blog, which you might want to check out if repeated headers matter for your application.
It seems to be the case that remote_addr
returns the value of the REMOTE_ADDR
environment variable as-is, while remote_ip
will adjust this based on the presence of HTTP_X_FORWARDED_FOR
and HTTP_CLIENT_IP
variables as well, such as you might have when your client is being forwarded through a proxy.
That double check for local_request?
is simply a way of ascertaining that the user came from a local machine, and wasn't simply forwarded from somewhere else through a local proxy.
精彩评论