IP Spoofing Attack

Of late after an upgrade I’ve seen a whole bunch of errors in the logs like

ActionDispatch::RemoteIp::IpSpoofAttackError (IP spoofing attack?! HTTP_CLIENT_IP="74.103.19.54" HTTP_X_FORWARDED_FOR="138.164.23.59, 46.166.148.34") /var/www/discourse/vendor/bundle/ruby/2.3.0/gems/actionpack-4.2.9/lib/action_dispatch/middleware/remote_ip.rb:125:in 'calculate_ip'

I couldn’t find anything on the discussion forum so I googled it and found this:

Am wondering if cellphone users are being impacted by this Rails IP check and if there’s some way to turn it off for discourse?

Hello team.
I’ve got a lot of logs with this too:

What is about that?

I’ve got a user sending me mails because he can’t post in the forum.
He said that the forum says “an error occurs” and can’t post messages, or new threads :frowning:
This is connected with this error log? :thinking:

My guess is you have something configured incorrectly in your network stack for your Discourse instance? Are either of you doing any weird proxying, or anything deviating from the normal Discourse Docker setup?

The setup was based on this guide.

The server is setup with multiple Discourse installs running under a single Nginx instance with separate vhosts.

For reference each vhost takes this form:

    server {
            listen 80;
            # change this
            server_name my-discourse-site.com;
            client_max_body_size 100M;
            location / {
            proxy_pass http://unix:/var/discourse/shared/*****/nginx.http.sock:;
                    proxy_set_header Host $http_host;
                    proxy_http_version 1.1;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
    }

I don’t have any of that. Just a simple single instance discourse setup with a static IP behind a firewall with a port forwarding for http and https.

It’s probably a client proxy adding Client-IP:, then nginx adds X-Forwarded-For, and rails takes a look and says “okay none of these agree, so I don’t know what to trust, so I may as well throw an error”.

4 Likes

So does that mean the users cant access the site or it’s just a warning to be ignored?

It means your networking setup is configured incorrectly, as far as Discourse goes.

Not sure that that means. It’s a standard hosted install using the Discourse install guide. Single server, single install. No proxying, just a standard NAT firewall with a HTTP/S port forwarding to the discourse VM.

Am wondering could be due to a proxy at the client end?

You can do this:

proxy_set_header Client-IP "";

http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header

4 Likes