Apparently Rails 2.1 has the nifty ability to throw a 500 Internal Server Error with the message “IP spoofing attack?!” under certain circumstances.
Unfortunately, those circumstances include a common Apache/Mongrel deployment and Yahoo’s crawler, Slurp, trying to index your site. It’s possible Apache/Mongrel isn’t required; I’m unsure.
The key is that Slurp includes both a Client-IP header (HTTP_CLIENT_IP by the time it hits Rails) and an X-Forwarded-For header (HTTP_X_FORWARDED_FOR). When both are present, Rails assumes something evil is happening and voluntarily dies. Neat.
Such a header can be relied on only if it was set by a trusted proxy. Otherwise, it’s hard to know if it was spoofed. The difficulty is for Rails to know which one, if any, was set by a trusted proxy.
I deploy Rails in a common Apache w/mod_proxy_balancer and Mongrel setup. Apache uses X-Forwarded-For natively, so that’s the one I want to trust. To make Rails happy, I’ve just told Apache to delete the Client-IP header if present.
Adding RequestHeader unset Client-IP to the virtual host configuration seems to do the trick.
This does require mod_headers to be enabled in Apache.
I updated my limited_sessions plugin to improve support for Rails 2.1. It should maintain backwards compatibility.
The change surrounds Rails 2.1’s new partial updates support. Basically, it’s turned off for sessions so the session is kept current and doesn’t expire if the user is active.
I was at Home Depot today trying to match paint colors for some exterior trim. I went to Home Depot because they have a self-service color-matching computer.
As I’m trying to use it, and getting rather poor results, a woman asks one of the clerks, “how well does this work?” He responded, “it’s just a toy.”
Why have something that doesn’t work and is just a toy—something not actually useful for your customers? It’s a breach of trust with those customers.
I did get help from another clerk, but I still left the store feeling a bit disillusioned with Home Depot. They obviously don’t care about me or their other customers—we’re just something to be fooled around with.
In business, it would be worthwhile to always ask, “is this actually useful or helpful to my customers?”
The phrase “for all your needs” is pervasive. For all your insurance needs, for all your business needs, for all your printing needs, for all your in-home weekend veterinarian care needs, etc.
Does that phrase seem meaningful to you? It doesn’t to me. Instead, it strikes me as filler—a way to have a phrase to print or speak when nothing else comes to mind or perhaps when no time has been spent to think of something more meaningful.
Spend some time coming up with something interesting to say or at least an interesting way to say it. If your words are only filler, they’ll just go in one ear and out the other — not exactly the desired effect.
classmates.com just sent me one of their usual spam^H^H^H^Hupdate messages. I’m struck today by the silliness of their current business model which is to hold data for ransom and require a subscription to get to it.
Supposedly I have a guestbook signing. However, they are requiring me to pay them to get to it. That’s dumb.
Here in 2008, data like that is free. I don’t pay to use facebook, linkedin, or any other of the myriad of social networks. Why should I pay classmates.com? I won’t and their data can rot — data I can’t see might as well not exist.