We'll respond shortly.
“How can Rails’ IP spoof attack safeguards be disabled when its guesses give false positives that block out important users?”
When Rails has this safeguard in place, it may block out users behind poorly configured firewalls and some mobile devices.
The safeguard causes Rails to return a 500 and log the following message:
ActionController::ActionControllerError: IP spoofing attack?! HTTP_CLIENT_IP="16.89.XX.XXX" HTTP_X_FORWARDED_FOR="15.243.YY.YYY"
Rails 2.3 and later lets you easily disable this by overriding a setting in your
Rails::Initializer.run do |config| config.action_controller.ip_spoofing_check = false end
As always, be sure you understand the implications of disabling this security feature!