In the ActionController source, local requests are defined as follows:
def local_request? #:doc:
request.remote_addr == LOCALHOST && request.remote_ip == LOCALHOST
end
In my application, I want to use different logic if requests are coming from a particular IP range. What is the difference between request.remote_addr and request.remote_ip, and which one should I use?
I'm the author of the current implementation of remote_ip, and the other things that it does include checking for IP spoofing attacks, and correctly handling multiple X-Forwarded-For headers. There's a big caveat, though: only some Ruby web servers support multiple headers, so the value still might be wrong.
I wrote up the results from testing the most popular Ruby app servers on my blog, which you might want to check out if repeated headers matter for your application.
It seems to be the case that remote_addr returns the value of the REMOTE_ADDR environment variable as-is, while remote_ip will adjust this based on the presence of HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP variables as well, such as you might have when your client is being forwarded through a proxy.
That double check for local_request? is simply a way of ascertaining that the user came from a local machine, and wasn't simply forwarded from somewhere else through a local proxy.
