class ActionDispatch::RemoteIp

sometime before this middleware runs.
care about that, then you need to explicitly drop or ignore those headers
claim to have any IP address by setting the X-Forwarded-For header. If you
a proxy, because you are hosted on e.g. Heroku without SSL, any client can
and setting headers with the client’s remote IP address. If you don’t use
This middleware assumes that there is at least one proxy sitting around
IF YOU DON’T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING.
then you should test your Rack server to make sure your data is good.
If you are behind multiple proxy servers (like Nginx to HAProxy to Unicorn)
the value that was given in the last header.
requires. Some Rack servers simply drop preceding headers, and only report
Some Rack servers concatenate repeated headers, like {HTTP RFC 2616}[http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]

at GetIp#calculate_ip.
by @gingerlime. A more detailed explanation of the algorithm is given
with reasoning explained at length}[http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection]<br>{the Tomcat server,
on the list of trusted IPs. This follows the precedent set by e.g.
contain the address, and then picking the last-set address that is not
making the request. It does this by checking various headers that could
This middleware calculates the IP address of the remote client that is

def call(env)

GetIp#calculate_ip method will calculate the memoized client IP address.
requests. For those requests that do need to know the IP, the
without calculating the IP to keep from slowing down the majority of
Since the IP address may not be needed, we store the object here 
def call(env)
  env["action_dispatch.remote_ip"] = GetIp.new(env, self)
  @app.call(env)
end

def initialize(app, check_ip_spoofing = true, custom_proxies = nil)

IP addresses, and return the one that you want.
+custom_trusted+ parameter. That way, the middleware will ignore those
servers after it. If your proxies aren't removed, pass them in via the
middle (or at the beginning) of the X-Forwarded-For list, with your proxy
to +TRUSTED_PROXIES+. Any proxy setup will put the value you want in the
instead of +TRUSTED_PROXIES+, or a string, which will be used in addition
The +custom_trusted+ argument can take a regex, which will be used

incorrect or confusing way (like AWS ELB).
clients (like WAP devices), or behind proxies that set headers in an
address. It makes sense to turn off this check on sites aimed at non-IP
is raised if it looks like the client is trying to lie about its own IP
The +check_ip_spoofing+ option is on by default. When on, an exception

Create a new +RemoteIp+ middleware instance. 
def initialize(app, check_ip_spoofing = true, custom_proxies = nil)
  @app = app
  @check_ip = check_ip_spoofing
  @proxies = case custom_proxies
    when Regexp
      custom_proxies
    when nil
      TRUSTED_PROXIES
    else
      Regexp.union(TRUSTED_PROXIES, custom_proxies)
    end
end