class ActionDispatch::RemoteIp
def initialize(app, ip_spoofing_check = true, custom_proxies = nil)
them in via the +custom_proxies+ parameter. That way, the middleware will
with your proxy servers after it. If your proxies aren't removed, pass
want in the middle (or at the beginning) of the +X-Forwarded-For+ list,
instead of +TRUSTED_PROXIES+. Any proxy setup will put the value you
The +custom_proxies+ argument can take an enumerable which will be used
incorrect or confusing way (like AWS ELB).
clients (like WAP devices), or behind proxies that set headers in an
address. It makes sense to turn off this check on sites aimed at non-IP
is raised if it looks like the client is trying to lie about its own IP
The +ip_spoofing_check+ option is on by default. When on, an exception
Create a new +RemoteIp+ middleware instance.
def initialize(app, ip_spoofing_check = true, custom_proxies = nil) @app = app @check_ip = ip_spoofing_check @proxies = if custom_proxies.blank? TRUSTED_PROXIES elsif custom_proxies.respond_to?(:any?) custom_proxies else raise(ArgumentError, <<~EOM) Setting config.action_dispatch.trusted_proxies to a single value isn't supported. Please set this to an enumerable instead. For example, instead of: config.action_dispatch.trusted_proxies = IPAddr.new("10.0.0.0/8") Wrap the value in an Array: config.action_dispatch.trusted_proxies = [IPAddr.new("10.0.0.0/8")] Note that passing an enumerable will *replace* the default set of trusted proxies. EOM end end