[英]Rack and trusted IPs
I'm not a Rack expert, so I didn't understand one thing that appeared on Rack 1.4 source code : 我不是Rack专家,所以我不理解Rack 1.4源代码中出现的一件事:
def trusted_proxy?(ip)
ip =~ /^127\.0\.0\.1$|^(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|^::1$|^fd[0-9a-f]{2}:.+|^localhost$/i
end
def ip
remote_addrs = @env['REMOTE_ADDR'] ? @env['REMOTE_ADDR'].split(/[,\s]+/) : []
remote_addrs.reject! { |addr| trusted_proxy?(addr) }
return remote_addrs.first if remote_addrs.any?
forwarded_ips = @env['HTTP_X_FORWARDED_FOR'] ? @env['HTTP_X_FORWARDED_FOR'].strip.split(/[,\s]+/) : []
if client_ip = @env['HTTP_CLIENT_IP']
# If forwarded_ips doesn't include the client_ip, it might be an
# ip spoofing attempt, so we ignore HTTP_CLIENT_IP
return client_ip if forwarded_ips.include?(client_ip)
end
return forwarded_ips.reject { |ip| trusted_proxy?(ip) }.last || @env["REMOTE_ADDR"]
end
``` ```
trusted_proxy?
seems to return if the address belongs to a local network (or even my own computer). 如果该地址属于本地网络(甚至是我自己的计算机),似乎会返回。
Does it rejects trusted_ips
with forwarded_ips
because it seems that I'm forging an IP doing a request from outside when I'm inside a network ? 它是否因为在网络内部时似乎是在伪造IP来执行外部请求而拒绝了带有
forwarded_ips
trusted_ips
?
The trusted_proxy?
trusted_proxy?
returns true if it's trusted, and yes, it appears that it only returns true if it's a local address - something with 10.xxx or 172.xxx, the loopback address (127.0.0.1), or localhost
, etc. 如果受信任,则返回true;是的,似乎只有当它是本地地址时才返回true-带有10.xxx或172.xxx的东西,回送地址(127.0.0.1)或
localhost
等。
Below that, it has remote_addrs.reject!
在此之下,它具有
remote_addrs.reject!
which takes a collection, and removes from that collection anything that is true
in the block. 它获取一个集合,并从该集合中删除块中所有
true
的内容。 Imagine you have a collection of IP addresses (a mix of local and remote) - what that block does is take that list of IP addresses and rejects any that return true through the trusted_proxy?
假设您有一个IP地址集合(本地和远程)-该块所执行的操作是获取该IP地址列表,并拒绝任何通过
trusted_proxy?
返回true的地址trusted_proxy?
method, therefore all you have left over are the remote addresses. 方法,因此剩下的就是远程地址。
To say it another way, it takes a list of IP addresses and rejects the local ones, leaving you with only remote IPs. 换句话说,它获取一个IP地址列表并拒绝本地IP地址,仅留下远程IP。
The forwarded_ips
are picked up based on the info in the header, HTTP_X_FORWARDED_FOR
, etc. 该
forwarded_ips
是基于标头中的信息,拿起HTTP_X_FORWARDED_FOR
等。
Finally, the block that starts with if client_ip
returns true
if the list of forwarded_ips
includes the client_ip
, and false
otherwise. 最后,开头的块
if client_ip
返回true
,如果列表forwarded_ips
包括client_ip
,和false
否则。
Overall, and I'm guessing a bit on this last part, but I think the purpose of the ip
method is to ultimately return the IP address of the connection, or something, if and only if it's a trusted IP that doesn't otherwise appear to be a spoofing attempt. 总的来说,我对这最后一部分有些猜测,但是我认为
ip
方法的目的是最终返回连接的IP地址,或者仅当它是一个受信任的IP才返回的东西似乎是欺骗企图。 Like I said I'm not really sure on that, but the ip
method appears to be acting as a series of filters on the input to give you back something useful within the scope of the purpose of that method. 就像我说的那样,我不太确定,但是
ip
方法似乎在输入上充当一系列过滤器,以便为您提供在该方法目的范围内有用的东西。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.