I host a rails app using nginx. Until I recently upgrade rails to
2.1.1, everything worked great. This update to rails included a feature
designed to stop IP spoofing attacks. The way it does it is if the
client-ip header and the forwarded-for header are both present it throws
a 500 error. Yahoo’s slurp bot uses that as well as DirecPC satellite
internet. I found a solution for Apache web servers but I can’t figure
out how to accomplish the same thing with nginx. I pasted the Apache
solution below. Any help is appreciated.
“I deploy Rails in a common Apache w/mod_proxy_balancer and Mongrel
setup. Apache uses X-Forwarded-For natively, so that’s the one I want to
trust. To make Rails happy, I’ve just told Apache to delete the
Client-IP header if present.
Adding RequestHeader unset Client-IP to the virtual host configuration
seems to do the trick.”
Thanks again,
Eric.