跳至内容 跳至搜索

GetIp 类作为一种延迟处理请求数据以获得实际 IP 地址的方法存在。如果调用 ActionDispatch::Request#remote_ip 方法,此类将计算值并将其记忆。

方法
C
F
I
N
T

类公共方法

new(req, check_ip, proxies)

源代码: 显示 | 在 GitHub 上

# File actionpack/lib/action_dispatch/middleware/remote_ip.rb, line 103
def initialize(req, check_ip, proxies)
  @req      = req
  @check_ip = check_ip
  @proxies  = proxies
end

实例公共方法

calculate_ip()

遍历各种 IP 地址头部,查找最有可能代表发出此请求的实际远程客户端地址的 IP。

如果请求直接针对 Ruby 进程(例如在 Heroku 上),则 REMOTE_ADDR 将是正确的。当请求由 HAProxy 或 NGINX 等其他服务器代理时,发出原始请求的 IP 地址将被放到 X-Forwarded-For 头部中。如果有多个代理,该头部可能包含一个 IP 列表。其他代理服务会设置 Client-Ip 头部,所以我们也会检查它。

这篇文章关于 Rails IP 欺骗 中所述,尽管列表中的第一个 IP 很可能是“起源”IP,但它也可能是客户端恶意设置的。

为了找到第一个(可能)准确的地址,我们获取 IP 列表,删除已知和受信任的代理,然后获取剩下的最后一个地址,该地址可能是由这些代理中的一个设置的。

源代码: 显示 | 在 GitHub 上

# File actionpack/lib/action_dispatch/middleware/remote_ip.rb, line 127
def calculate_ip
  # Set by the Rack web server, this is a single value.
  remote_addr = ips_from(@req.remote_addr).last

  # Could be a CSV list and/or repeated headers that were concatenated.
  client_ips    = ips_from(@req.client_ip).reverse!
  forwarded_ips = ips_from(@req.x_forwarded_for).reverse!

  # `Client-Ip` and `X-Forwarded-For` should not, generally, both be set. If they
  # are both set, it means that either:
  #
  # 1) This request passed through two proxies with incompatible IP header
  #     conventions.
  #
  # 2) The client passed one of `Client-Ip` or `X-Forwarded-For`
  #     (whichever the proxy servers weren't using) themselves.
  #
  # Either way, there is no way for us to determine which header is the right one
  # after the fact. Since we have no idea, if we are concerned about IP spoofing
  # we need to give up and explode. (If you're not concerned about IP spoofing you
  # can turn the `ip_spoofing_check` option off.)
  should_check_ip = @check_ip && client_ips.last && forwarded_ips.last
  if should_check_ip && !forwarded_ips.include?(client_ips.last)
    # We don't know which came from the proxy, and which from the user
    raise IpSpoofAttackError, "IP spoofing attack?! " \
      "HTTP_CLIENT_IP=#{@req.client_ip.inspect} " \
      "HTTP_X_FORWARDED_FOR=#{@req.x_forwarded_for.inspect}"
  end

  # We assume these things about the IP headers:
  #
  #     - X-Forwarded-For will be a list of IPs, one per proxy, or blank
  #     - Client-Ip is propagated from the outermost proxy, or is blank
  #     - REMOTE_ADDR will be the IP that made the request to Rack
  ips = forwarded_ips + client_ips
  ips.compact!

  # If every single IP option is in the trusted list, return the IP that's
  # furthest away
  filter_proxies(ips + [remote_addr]).first || ips.last || remote_addr
end

to_s()

记忆 calculate_ip 返回的值,并将其返回给 ActionDispatch::Request 使用。

源代码: 显示 | 在 GitHub 上

# File actionpack/lib/action_dispatch/middleware/remote_ip.rb, line 171
def to_s
  @ip ||= calculate_ip
end

实例私有方法

filter_proxies(ips)

源代码: 显示 | 在 GitHub 上

# File actionpack/lib/action_dispatch/middleware/remote_ip.rb, line 191
def filter_proxies(ips) # :doc:
  ips.reject do |ip|
    @proxies.any? { |proxy| proxy === ip }
  end
end

ips_from(header)

源代码: 显示 | 在 GitHub 上

# File actionpack/lib/action_dispatch/middleware/remote_ip.rb, line 176
def ips_from(header) # :doc:
  return [] unless header
  # Split the comma-separated list into an array of strings.
  ips = header.strip.split(/[,\s]+/)
  ips.select! do |ip|
    # Only return IPs that are valid according to the IPAddr#new method.
    range = IPAddr.new(ip).to_range
    # We want to make sure nobody is sneaking a netmask in.
    range.begin == range.end
  rescue ArgumentError
    nil
  end
  ips
end