Add tips for wrangling Rails 'remote IP' detection
Dev: https://dev.gitlab.org/gitlab/gitlabhq/issues/1838
Once every while a user has a network setup where Rails (or rather Rack) incorrectly detects the remote IP of requests. This can have several unwanted consequences:
- a default remote IP of 127.0.0.1, increasing the risk of inadvertent throttling / banning of IP's by Rack::Attack
ActionDispatch::RemoteIp::IpSpoofAttackError
I think we can advise people to do the following:
- Make sure your proxy (proxies) sets
X-Forwarded-For
(the default NGINX config for GitLab does this correctly nowadays)
Example:
location @gitlab {
# snip
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
- If you will be accessing your GitLab server from a private network (e.g. your client is 192.168.x.y) then let your proxy set
Client-IP
in addition toX-Forwarded-For
. Example:
location @gitlab {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Client-IP $remote_addr;
}
Related MR: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1328
Extra Step
Document 127.0.0.1 whitelist
Edited by Marcin Sedlak-Jakubowski