Description
Issue Description
sentry-ruby/lib/sentry/utils/real_ip.rb - Sentry::Utils::RealIp.initialize prepends a list of standard local and private IP blocks (LOCAL_ADDRESSES) to the supplied trusted_proxies.
The combined list is later used to determine the client's real IP by eliminating trusted proxies.
When hosting on a cloud provider and accessing from a client behind a firewall, this is fine - "user" will be the client's firewall LAN IP.
However, if hosting on the same LAN as the client, the client's IP will be filtered out. It's possible all candidate IPs will be filtered out in some situations.
Reproduction Steps
Set up a Rails app server, a reverse proxy, and a client all on the same LAN using one of the standard private CIDR blocks.
Configure the Rails app with sentry-rails and set and set config.action_dispatch.trusted_proxies to include only the IP of the reverse proxy.
Expected Behavior
The same behavior as Rails 7.1: If config.action_dispatch.trusted_proxies is set, the default list is replaced.
This allows the app to be more selective in which IPs it discards when choosing what IP to report as the client's.
(Note: config.action_dispatch.trusted_proxies now only accepts enumerable and always replaces the hard coded default.)
Actual Behavior
Sentry::Utils::RealIp.initialize will be called with the list of trusted_proxies from the ActionDispatch configuration, but these will be supplemented by the static LOCAL_ADDRESSES.
Since all LAN IPs will be matched by that list, Sentry will not see the client's real IP.
Ruby Version
3.1.6
SDK Version
5.19
Integration and Its Version
Rails
Sentry Config
The only relevant setting: send_default_pii = true
Metadata
Metadata
Assignees
Type
Projects
Status