diff options
author | Sam <sam.saffron@gmail.com> | 2018-01-05 16:53:50 +1100 |
---|---|---|
committer | Lars Schneider <larsxschneider@github.com> | 2019-02-19 19:03:36 +0100 |
commit | 1bf218818502e820192a41c4da61aa0b0b6109af (patch) | |
tree | 71aedbf4edb0d5f2b648a5a654e407a69761a8d0 | |
parent | cb1fdb600bc525258b3c34ea95f1598ee6def9c6 (diff) | |
download | rack-1bf218818502e820192a41c4da61aa0b0b6109af.tar.gz |
Preserve forwarded IP address for trusted proxy chains
Sometimes proxies make requests to Rack applications, for example
HAProxy health checks and so on.
Previously the forwarded IP implementation ate up these IP addresses,
making it hard to tell in Rack applications who made the request
-rw-r--r-- | lib/rack/request.rb | 2 | ||||
-rw-r--r-- | test/spec_request.rb | 11 |
2 files changed, 11 insertions, 2 deletions
diff --git a/lib/rack/request.rb b/lib/rack/request.rb index 6307b614..6fcf6ee9 100644 --- a/lib/rack/request.rb +++ b/lib/rack/request.rb @@ -261,7 +261,7 @@ module Rack forwarded_ips = split_ip_addresses(get_header('HTTP_X_FORWARDED_FOR')) - return reject_trusted_ip_addresses(forwarded_ips).last || get_header("REMOTE_ADDR") + return reject_trusted_ip_addresses(forwarded_ips).last || forwarded_ips.first || get_header("REMOTE_ADDR") end # The media type (type/subtype) portion of the CONTENT_TYPE header diff --git a/test/spec_request.rb b/test/spec_request.rb index cfaedbcf..6ed27ced 100644 --- a/test/spec_request.rb +++ b/test/spec_request.rb @@ -1286,7 +1286,16 @@ EOF res.body.must_equal '2.2.2.3' end - it "regard local addresses as proxies" do + it "preserves ip for trusted proxy chain" do + mock = Rack::MockRequest.new(Rack::Lint.new(ip_app)) + res = mock.get '/', + 'HTTP_X_FORWARDED_FOR' => '192.168.0.11, 192.168.0.7', + 'HTTP_CLIENT_IP' => '127.0.0.1' + res.body.must_equal '192.168.0.11' + + end + + it "regards local addresses as proxies" do req = make_request(Rack::MockRequest.env_for("/")) req.trusted_proxy?('127.0.0.1').must_equal 0 req.trusted_proxy?('10.0.0.1').must_equal 0 |