X-Forwarded-For is parsed incorrectly!

[Qqwy]

Given an X-Forwarded-For header like 203.0.113.195, 70.41.3.18, 150.172.238.178

remote_ip will currently replace the request's IP with 150.172.238.178.

(e.g.

iex> RemoteIp.from([{"x-forwarded-for", "203.0.113.195, 70.41.3.18, 150.172.238.178"}])
{150, 172, 238, 178}

)

However, this is incorrect. according to MDN the client IP is the first one in this list.

[ajvondrak]

Not a bug. IPs are processed last-to-first to prevent IP spoofing. If we trusted the first IP, it'd be trivial to spoof the IP of a request by setting a fake header, like curl -H "X-Forwarded-For: 1.2.3.4" http://your.site/.

Further reading:

• https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/
• https://hexdocs.pm/remote_ip/algorithm.html

If you know 150.172.238.178 and 70.41.3.18 are trusted proxies, configure the :proxies option accordingly (see https://hexdocs.pm/remote_ip/RemoteIp.Options.html).

[Qqwy]

Thank you for your reply and pointing to some articles with more information :smiley: .

[ajvondrak]

Sure thing. Hope it makes sense. :)