Rails: IP spoofing attack?!

One of the more terrifying Rails exceptions you could find in your error log:

ActionView::Template::Error: IP spoofing attack?! HTTP_CLIENT_IP=”10.132.133.70" HTTP_X_FORWARDED_FOR=”148.167.2.30"

If you Google this error, surprisingly little shows up about it. So let’s go straight to the Rails source code:

# +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
# If they are both set, it means that either:
#
# 1) This request passed through two proxies with incompatible IP header
#    conventions.
# 2) The client passed one of +Client-Ip+ or +X-Forwarded-For+
#    (whichever the proxy servers weren't using) themselves.
#
# Either way, there is no way for us to determine which header is the
# right one after the fact. Since we have no idea, if we are concerned
# about IP spoofing we need to give up and explode. (If you're not
# concerned about IP spoofing you can turn the +ip_spoofing_check+
# option off.)
should_check_ip = @check_ip && client_ips.last && forwarded_ips.last
if should_check_ip && !forwarded_ips.include?(client_ips.last)
  # We don't know which came from the proxy, and which from the user
  raise IpSpoofAttackError, "IP spoofing attack?! " +
    "HTTP_CLIENT_IP=#{@req.client_ip.inspect} " +
    "HTTP_X_FORWARDED_FOR=#{@req.x_forwarded_for.inspect}"
end

Furthermore, the Rails 2.3 release notes tell us:

The fact that Rails checks for IP spoofing can be a nuisance for sites that do heavy traffic with cell phones, because their proxies don’t generally set things up right. If that’s you, you can now set ActionController::Base.ip_spoofing_check = false to disable the check entirely.

Unless you’re doing IP-based authentication, it’s probably safe to ignore or disable this alarming exception.