class ActionDispatch::RemoteIp

sometime before this middleware runs.
care about that, then you need to explicitly drop or ignore those headers
claim to have any IP address by setting the X-Forwarded-For header. If you
a proxy, because you are hosted on e.g. Heroku without SSL, any client can
and setting headers with the client’s remote IP address. If you don’t use
This middleware assumes that there is at least one proxy sitting around
IF YOU DON’T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING.
then you should test your Rack server to make sure your data is good.
If you are behind multiple proxy servers (like NGINX to HAProxy to Unicorn)
the value that was given in the last header.
requires. Some Rack servers simply drop preceding headers, and only report
Some Rack servers concatenate repeated headers, like {HTTP RFC 2616}[https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]

at GetIp#calculate_ip.
by @gingerlime. A more detailed explanation of the algorithm is given
with reasoning explained at length}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection]<br>{the Tomcat server,
on the list of trusted IPs. This follows the precedent set by e.g.
contain the address, and then picking the last-set address that is not
making the request. It does this by checking various headers that could
This middleware calculates the IP address of the remote client that is

def call(env)

GetIp#calculate_ip method will calculate the memoized client IP address.
requests. For those requests that do need to know the IP, the
without calculating the IP to keep from slowing down the majority of
Since the IP address may not be needed, we store the object here 
def call(env)
  req = ActionDispatch::Request.new env
  req.remote_ip = GetIp.new(req, check_ip, proxies)
  @app.call(req.env)
end

def initialize(app, ip_spoofing_check = true, custom_proxies = nil)

ignore those IP addresses, and return the one that you want.
them in via the +custom_proxies+ parameter. That way, the middleware will
with your proxy servers after it. If your proxies aren't removed, pass
want in the middle (or at the beginning) of the X-Forwarded-For list,
addition to +TRUSTED_PROXIES+. Any proxy setup will put the value you
single string, IPAddr, or Regexp object is provided, it will be used in
Regexp objects which will be used instead of +TRUSTED_PROXIES+. If a
The +custom_proxies+ argument can take an Array of string, IPAddr, or

incorrect or confusing way (like AWS ELB).
clients (like WAP devices), or behind proxies that set headers in an
address. It makes sense to turn off this check on sites aimed at non-IP
is raised if it looks like the client is trying to lie about its own IP
The +ip_spoofing_check+ option is on by default. When on, an exception

Create a new +RemoteIp+ middleware instance. 
def initialize(app, ip_spoofing_check = true, custom_proxies = nil)
  @app = app
  @check_ip = ip_spoofing_check
  @proxies = if custom_proxies.blank?
    TRUSTED_PROXIES
  elsif custom_proxies.respond_to?(:any?)
    custom_proxies
  else
    Array(custom_proxies) + TRUSTED_PROXIES
  end
end