IP Spoofing Attack

RBoy · August 11, 2017, 5:19pm

Of late after an upgrade I’ve seen a whole bunch of errors in the logs like

ActionDispatch::RemoteIp::IpSpoofAttackError (IP spoofing attack?! HTTP_CLIENT_IP="74.103.19.54" HTTP_X_FORWARDED_FOR="138.164.23.59, 46.166.148.34") /var/www/discourse/vendor/bundle/ruby/2.3.0/gems/actionpack-4.2.9/lib/action_dispatch/middleware/remote_ip.rb:125:in 'calculate_ip'

I couldn’t find anything on the discussion forum so I googled it and found this:

Am wondering if cellphone users are being impacted by this Rails IP check and if there’s some way to turn it off for discourse?

SidV · August 23, 2017, 6:40pm

Hello team.
I’ve got a lot of logs with this too:

What is about that?

I’ve got a user sending me mails because he can’t post in the forum.
He said that the forum says “an error occurs” and can’t post messages, or new threads
This is connected with this error log?

codinghorror · August 24, 2017, 3:34am

My guess is you have something configured incorrectly in your network stack for your Discourse instance? Are either of you doing any weird proxying, or anything deviating from the normal Discourse Docker setup?

SidV · August 24, 2017, 12:20pm

The setup was based on this guide.

The server is setup with multiple Discourse installs running under a single Nginx instance with separate vhosts.

For reference each vhost takes this form:

    server {
            listen 80;
            # change this
            server_name my-discourse-site.com;
            client_max_body_size 100M;
            location / {
            proxy_pass http://unix:/var/discourse/shared/*****/nginx.http.sock:;
                    proxy_set_header Host $http_host;
                    proxy_http_version 1.1;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
    }

RBoy · August 24, 2017, 4:06pm

I don’t have any of that. Just a simple single instance discourse setup with a static IP behind a firewall with a port forwarding for http and https.

riking · August 24, 2017, 5:20pm

It’s probably a client proxy adding Client-IP:, then nginx adds X-Forwarded-For, and rails takes a look and says “okay none of these agree, so I don’t know what to trust, so I may as well throw an error”.

RBoy · August 25, 2017, 10:40pm

So does that mean the users cant access the site or it’s just a warning to be ignored?

codinghorror · August 26, 2017, 12:18am

It means your networking setup is configured incorrectly, as far as Discourse goes.

RBoy · August 28, 2017, 1:23pm

Not sure that that means. It’s a standard hosted install using the Discourse install guide. Single server, single install. No proxying, just a standard NAT firewall with a HTTP/S port forwarding to the discourse VM.

Am wondering could be due to a proxy at the client end?

riking · August 28, 2017, 4:58pm

You can do this:

proxy_set_header Client-IP "";

http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header

Topic		Replies	Views
Last IP address and action_dispatch.trusted_proxies Support	8	4266	March 7, 2019
Troubleshooting a 429 (rate limit) Installation	20	5603	November 9, 2018
Remote users IPV6 address shows as localhost Support	30	4665	September 13, 2020
Site is accessible on the IP address when not following th install guide Feature	18	1994	June 30, 2020
Can't get Discourse to work on different ports Installation	2	1425	March 9, 2021

IP Spoofing Attack

Related topics