Ask for Help
"How can Rails' IP spoof attack safeguards be disabled when its guesses give false positives that block out important users?"
When Rails has this safeguard in place, it may block out users behind poorly configured firewalls and some mobile devices.
The safeguard causes Rails to return a 500 and log the following message:
ActionController::ActionControllerError: IP spoofing attack?! HTTP_CLIENT_IP="16.89.XX.XXX" HTTP_X_FORWARDED_FOR="15.243.YY.YYY"
Rails 2.3 and later lets you easily disable this by overriding a setting in your environment.rb initializer:
Rails::Initializer.run do |config|
config.action_controller.ip_spoofing_check = false
end
As always, be sure you understand the implications of disabling this security feature!