Remote address logging broken from private IP. Requesting trusted proxies configurability fixes merged into 3-2-stable.

I’m wondering if it would be possible to add these two commits to 3-2-stable.

https://github.com/rails/rails/commit/641359e54aa34291d9bf1361c4979080a471862d

https://github.com/rails/rails/commit/275c3a1cb3d0f38d1a28b1a8d6145a4d7e379acc

These commits fix a bug for me, where the IP address of my end-user clients are not correctly returned by the remote_ip method. This is because I am using a thin+pound load balancing setup and rails 3-2-stable assumes that clients with a private IP address, contained in the X-Forwarded-For header, are “trusted proxies” and are thus ignored. This causes a request’s originating IP to be returned as ‘127.0.0.1’ (i.e., local pound webserver) instead of the actual, private IP address of the end-user.

To get around this problem, I currently have the above commits monkey-patched into my rails 3.2.3 project as initializers, and I have this in my application.rb config.action_dispatch.trusted_proxies = /^127.0.0.1$/

This seems like a bug to me, at least for anyone serving a rails app to private IP addresses, which I realize is not the most common case but I imagine I’m not the only one doing it. It may be worth noting that this is NOT how rails behaved for me before the 3.1 release. So it would be nice if this behavior was at least configurably fixable in the 3-2-stable branch in time for 3.2.4.

This problem also affects logging and Rack::Request. Please see the following issue, which there is currently not an official fix for that I am aware of.

https://github.com/rails/rails/issues/5223

Thanks.