我有一个Rails应用程序在Docker容器中运行,该容器被分配了一个ip 172.17.0.3.对主机51.x.x.x的传入请求将转发到172.17.0.3中的rails应用程序.更具体地说,这样做是这样的:
docker run -p 8080:8080 rails_app
但是,Rails应用程序抛出当用户尝试访问某些页面时无法验证CSRF令牌真实性错误.我怀疑Rails认为传入的请求是攻击,因为目标的ip与Rails应用程序的ip不匹配 – 即用户请求被定向到主机51.xxx,而Rails实际位置是172.17 .0.3
有什么方法让我告诉Rails这些请求是合法的吗?作为附加信息,我使用devise进行身份验证,将unicorn用作服务器.
你们中的一些人可能会建议用::: exception to:null_session更改protect_from_forgery,但是当没有放在代理后面时应用程序工作正常.此外,当我改变那部分时,一些逻辑将不起作用,因为我认为设置会混淆用户会话的处理方式.
这是我的网络布局:
(user from public network) ----> (proxy) ----> (rails app on a private network)
(202.x.x.x) (51.x.x.x) (172.x.x.x)
编辑:
该应用程序处于开发设置中.这是我在log / development.log文件中得到的错误.
Started POST "/register" for 202.x.x.x at 2014-11-18 02:27:11 +0000
Processing by UsersController#create as HTML
Parameters: {"utf8"=>"✓","authenticity_token"=>"aBG3nIAKK1ALMJ1DDYFlMkmqISMBMZc3iLmaeD2byG8=","user"=>{"email"=>"email@gmail.com","password"=>"[FILTERED]","password_confirmation"=>"[FILTERED]"}}
Can't verify CSRF token authenticity
Completed 422 Unprocessable Entity in 2ms
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
actionpack (4.1.4) lib/action_controller/Metal/request_forgery_protection.rb:176:in `handle_unverified_request'
actionpack (4.1.4) lib/action_controller/Metal/request_forgery_protection.rb:202:in `handle_unverified_request'
devise (3.4.0) lib/devise/controllers/helpers.rb:251:in `handle_unverified_request'
actionpack (4.1.4) lib/action_controller/Metal/request_forgery_protection.rb:197:in `verify_authenticity_token'
activesupport (4.1.4) lib/active_support/callbacks.rb:424:in `block in make_lambda'
activesupport (4.1.4) lib/active_support/callbacks.rb:160:in `call'
activesupport (4.1.4) lib/active_support/callbacks.rb:160:in `block in halting'
activesupport (4.1.4) lib/active_support/callbacks.rb:166:in `call'
activesupport (4.1.4) lib/active_support/callbacks.rb:166:in `block in halting'
activesupport (4.1.4) lib/active_support/callbacks.rb:149:in `call'
activesupport (4.1.4) lib/active_support/callbacks.rb:149:in `block in halting_and_conditional'
activesupport (4.1.4) lib/active_support/callbacks.rb:149:in `call'
activesupport (4.1.4) lib/active_support/callbacks.rb:149:in `block in halting_and_conditional'
activesupport (4.1.4) lib/active_support/callbacks.rb:86:in `run_callbacks'
actionpack (4.1.4) lib/abstract_controller/callbacks.rb:19:in `process_action'
actionpack (4.1.4) lib/action_controller/Metal/rescue.rb:29:in `process_action'
actionpack (4.1.4) lib/action_controller/Metal/instrumentation.rb:31:in `block in process_action'
activesupport (4.1.4) lib/active_support/notifications.rb:159:in `block in instrument'
activesupport (4.1.4) lib/active_support/notifications/instrumenter.rb:20:in `instrument'
activesupport (4.1.4) lib/active_support/notifications.rb:159:in `instrument'
actionpack (4.1.4) lib/action_controller/Metal/instrumentation.rb:30:in `process_action'
actionpack (4.1.4) lib/action_controller/Metal/params_wrapper.rb:250:in `process_action'
activerecord (4.1.4) lib/active_record/railties/controller_runtime.rb:18:in `process_action'
actionpack (4.1.4) lib/abstract_controller/base.rb:136:in `process'
actionview (4.1.4) lib/action_view/rendering.rb:30:in `process'
actionpack (4.1.4) lib/action_controller/Metal.rb:196:in `dispatch'
actionpack (4.1.4) lib/action_controller/Metal/rack_delegation.rb:13:in `dispatch'
actionpack (4.1.4) lib/action_controller/Metal.rb:232:in `block in action'
actionpack (4.1.4) lib/action_dispatch/routing/route_set.rb:82:in `call'
actionpack (4.1.4) lib/action_dispatch/routing/route_set.rb:82:in `dispatch'
actionpack (4.1.4) lib/action_dispatch/routing/route_set.rb:50:in `call'
actionpack (4.1.4) lib/action_dispatch/routing/mapper.rb:45:in `call'
actionpack (4.1.4) lib/action_dispatch/journey/router.rb:71:in `block in call'
actionpack (4.1.4) lib/action_dispatch/journey/router.rb:59:in `each'
actionpack (4.1.4) lib/action_dispatch/journey/router.rb:59:in `call'
actionpack (4.1.4) lib/action_dispatch/routing/route_set.rb:678:in `call'
omniauth (1.2.2) lib/omniauth/strategy.rb:186:in `call!'
omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
omniauth (1.2.2) lib/omniauth/strategy.rb:186:in `call!'
omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
omniauth (1.2.2) lib/omniauth/strategy.rb:186:in `call!'
omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
omniauth (1.2.2) lib/omniauth/strategy.rb:186:in `call!'
omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
omniauth (1.2.2) lib/omniauth/strategy.rb:186:in `call!'
omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
warden (1.2.3) lib/warden/manager.rb:35:in `block in call'
warden (1.2.3) lib/warden/manager.rb:34:in `catch'
warden (1.2.3) lib/warden/manager.rb:34:in `call'
rack (1.5.2) lib/rack/etag.rb:23:in `call'
rack (1.5.2) lib/rack/conditionalget.rb:35:in `call'
rack (1.5.2) lib/rack/head.rb:11:in `call'
actionpack (4.1.4) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
actionpack (4.1.4) lib/action_dispatch/middleware/flash.rb:254:in `call'
rack (1.5.2) lib/rack/session/abstract/id.rb:225:in `context'
rack (1.5.2) lib/rack/session/abstract/id.rb:220:in `call'
actionpack (4.1.4) lib/action_dispatch/middleware/cookies.rb:560:in `call'
activerecord (4.1.4) lib/active_record/query_cache.rb:36:in `call'
activerecord (4.1.4) lib/active_record/connection_adapters/abstract/connection_pool.rb:621:in `call'
activerecord (4.1.4) lib/active_record/migration.rb:380:in `call'
actionpack (4.1.4) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
activesupport (4.1.4) lib/active_support/callbacks.rb:82:in `run_callbacks'
actionpack (4.1.4) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
actionpack (4.1.4) lib/action_dispatch/middleware/reloader.rb:73:in `call'
actionpack (4.1.4) lib/action_dispatch/middleware/remote_ip.rb:76:in `call'
actionpack (4.1.4) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
actionpack (4.1.4) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
railties (4.1.4) lib/rails/rack/logger.rb:38:in `call_app'
railties (4.1.4) lib/rails/rack/logger.rb:20:in `block in call'
activesupport (4.1.4) lib/active_support/tagged_logging.rb:68:in `block in tagged'
activesupport (4.1.4) lib/active_support/tagged_logging.rb:26:in `tagged'
activesupport (4.1.4) lib/active_support/tagged_logging.rb:68:in `tagged'
railties (4.1.4) lib/rails/rack/logger.rb:20:in `call'
actionpack (4.1.4) lib/action_dispatch/middleware/request_id.rb:21:in `call'
rack (1.5.2) lib/rack/methodoverride.rb:21:in `call'
rack (1.5.2) lib/rack/runtime.rb:17:in `call'
activesupport (4.1.4) lib/active_support/cache/strategy/local_cache_middleware.rb:26:in `call'
rack (1.5.2) lib/rack/lock.rb:17:in `call'
actionpack (4.1.4) lib/action_dispatch/middleware/static.rb:64:in `call'
rack-cors (0.2.9) lib/rack/cors.rb:54:in `call'
rack (1.5.2) lib/rack/sendfile.rb:112:in `call'
railties (4.1.4) lib/rails/engine.rb:514:in `call'
railties (4.1.4) lib/rails/application.rb:144:in `call'
rack (1.5.2) lib/rack/lint.rb:49:in `_call'
rack (1.5.2) lib/rack/lint.rb:37:in `call'
rack (1.5.2) lib/rack/showexceptions.rb:24:in `call'
rack (1.5.2) lib/rack/commonlogger.rb:33:in `call'
sinatra (1.4.5) lib/sinatra/base.rb:217:in `call'
rack (1.5.2) lib/rack/chunked.rb:43:in `call'
rack (1.5.2) lib/rack/content_length.rb:14:in `call'
unicorn (4.8.3) lib/unicorn/http_server.rb:576:in `process_client'
unicorn (4.8.3) lib/unicorn/http_server.rb:670:in `worker_loop'
unicorn (4.8.3) lib/unicorn/http_server.rb:525:in `spawn_missing_workers'
unicorn (4.8.3) lib/unicorn/http_server.rb:140:in `start'
unicorn (4.8.3) bin/unicorn:126:in `required)>'
最佳答案
从粗略阅读’protect_from_forgery method‘,我们发现以下内容:
def protect_from_forgery(options = {})
self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
self.request_forgery_protection_token ||= :authenticity_token
prepend_before_action :verify_authenticity_token,options
append_after_action :verify_same_origin_request
end
其中有一个名为’verify_authenticity_token‘的前动作回调.如果我们查看其来源,我们会发现以下内容:
def verify_authenticity_token
mark_for_same_origin_verification!
if !verified_request?
logger.warn "Can't verify CSRF token authenticity" if logger
handle_unverified_request
end
end
从那里我们注意到它叫’verified_request?‘.
def verified_request?
!protect_against_forgery? || request.get? || request.head? ||
form_authenticity_token == params[request_forgery_protection_token] ||
form_authenticity_token == request.headers['X-CSRF-Token']
end
鉴于提出的例外的性质,我认为这些条件中的一个或多个未得到满足.我不认为它与IP寻址有任何关系.