The implementation of rails' AbstractRequest.remote_ip returns the HTTP_CLIENT_IP if it's populated, which when there is a a proxy (apache) in front of rails, the client ip is 127.0.0.1. I would think rails should check the HTTP_X_FORWARDED_FOR first, then fall back to the HTTP_CLIENT_IP. For now, I've added a check for the HTTP_X_FORWARDED_FOR first, then fall back to the remote_ip method call. --- src/config/initializers/warden.rb | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/config/initializers/warden.rb b/src/config/initializers/warden.rb index de391a5..2298b97 100644 --- a/src/config/initializers/warden.rb +++ b/src/config/initializers/warden.rb @@ -63,7 +63,8 @@ Warden::Strategies.add(:database) do login, password = get_credentials return unless login && password Rails.logger.debug("Warden is authenticating #{login} against database") - u = User.authenticate(login, password, request.remote_ip) + ipaddress = request.env[ 'HTTP_X_FORWARDED_FOR' ] ? request.env[ 'HTTP_X_FORWARDED_FOR' ] : request.remote_ip + u = User.authenticate(login, password, ipaddress) u ? success!(u) : fail!("Username or password is not correct - could not log in") end end
aeolus-devel@lists.fedorahosted.org