Rails ActionController: Difference between request.remote_ip and request.remote_addr

In the ActionController source, local requests are defined as follows:

def local_request? #:d开发者_开发知识库oc:
    request.remote_addr == LOCALHOST && request.remote_ip == LOCALHOST
end

In my application, I want to use different logic if requests are coming from a particular IP range. What is the difference between request.remote_addr and request.remote_ip, and which one should I use?

---

I'm the author of the current implementation of remote_ip, and the other things that it does include checking for IP spoofing attacks, and correctly handling multiple X-Forwarded-For headers. There's a big caveat, though: only some Ruby web servers support multiple headers, so the value still might be wrong.

I wrote up the results from testing the most popular Ruby app servers on my blog, which you might want to check out if repeated headers matter for your application.

---

It seems to be the case that remote_addr returns the value of the REMOTE_ADDR environment variable as-is, while remote_ip will adjust this based on the presence of HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP variables as well, such as you might have when your client is being forwarded through a proxy.

That double check for local_request? is simply a way of ascertaining that the user came from a local machine, and wasn't simply forwarded from somewhere else through a local proxy.