Rails 500 error - IP spoofing attack

Apparently Rails 2.1 has the nifty ability to throw a 500 Internal Server Error with the message “IP spoofing attack?!” under certain circumstances.

Unfortunately, those circumstances include a common Apache/Mongrel deployment and Yahoo’s crawler, Slurp, trying to index your site. It’s possible Apache/Mongrel isn’t required; I’m unsure.

The key is that Slurp includes both a Client-IP header (HTTP_CLIENT_IP by the time it hits Rails) and an X-Forwarded-For header (HTTP_X_FORWARDED_FOR). When both are present, Rails assumes something evil is happening and voluntarily dies. Neat.

Such a header can be relied on only if it was set by a trusted proxy. Otherwise, it’s hard to know if it was spoofed. The difficulty is for Rails to know which one, if any, was set by a trusted proxy.

I deploy Rails in a common Apache w/mod_proxy_balancer and Mongrel setup. Apache uses X-Forwarded-For natively, so that’s the one I want to trust. To make Rails happy, I’ve just told Apache to delete the Client-IP header if present.

Adding RequestHeader unset Client-IP to the virtual host configuration seems to do the trick.

This does require mod_headers to be enabled in Apache.

tags: apache, error, rails

by Jaume Arús

I have applied your fix and for the momment it works fine.


by Jamie

thanks for mentioning this, been spending a while trying to work around this myself =)

by Jamie

thanks for mentioning this, been spending a while trying to work around this myself =)

by Victor

Hey, Just want to say thank you. I have the same problem. Will try your solution, although I am using Nginx.

by restaurant fan

I wonder why this is blocked by rails… It’s great in an intranet environment when you know your network, but it’s a pain when you deploy your app into the real world.

thanks for the info!

by Jorge Alvarez


Thank you for the workaround.

This is a problem that will be corrected in next rails version.

More info here http://www.google.com/url?sa=t&source=web&ct=res&cd=1&url=http%3A%2F%2Frails.lighthouseapp.com%2Fprojects%2F8994%2Ftickets%2F322&ei=PE8cSd-YComm0QSG8rnHCA&usg=AFQjCNHbr5zEI7Z81GaIsZybTheff5lExg&sig2=FTCnDXeZCwxynTLMsBHfRQ