Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Rails ActionController: Difference between request.remote_ip and request.remote_addr

In the ActionController source, local requests are defined as follows:

def local_request? #:doc:
    request.remote_addr == LOCALHOST && request.remote_ip == LOCALHOST
end

In my application, I want to use different logic if requests are coming from a particular IP range. What is the difference between request.remote_addr and request.remote_ip, and which one should I use?

like image 545
jrdioko Avatar asked Nov 02 '10 17:11

jrdioko


2 Answers

I'm the author of the current implementation of remote_ip, and the other things that it does include checking for IP spoofing attacks, and correctly handling multiple X-Forwarded-For headers. There's a big caveat, though: only some Ruby web servers support multiple headers, so the value still might be wrong.

I wrote up the results from testing the most popular Ruby app servers on my blog, which you might want to check out if repeated headers matter for your application.

like image 187
indirect Avatar answered Nov 04 '22 12:11

indirect


It seems to be the case that remote_addr returns the value of the REMOTE_ADDR environment variable as-is, while remote_ip will adjust this based on the presence of HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP variables as well, such as you might have when your client is being forwarded through a proxy.

That double check for local_request? is simply a way of ascertaining that the user came from a local machine, and wasn't simply forwarded from somewhere else through a local proxy.

like image 37
tadman Avatar answered Nov 04 '22 13:11

tadman