Determine originating IP address. REMOTE_ADDR is the standard but will fail if the user is behind a proxy. HTTP_CLIENT_IP and/or HTTP_X_FORWARDED_FOR are set by proxies so check for these before falling back to REMOTE_ADDR. HTTP_X_FORWARDED_FOR may be a comma- delimited list in the case of multiple chained proxies; the first is the originating IP.

Security note: do not use if IP spoofing is a concern for your application. Since remote_ip checks HTTP headers for addresses forwarded by proxies, the client may send any IP. remote_addr can’t be spoofed but also doesn’t work behind a proxy, since it’s always the proxy’s IP.

Source Code

# File action_controller/request.rb, line 138
def remote_ip
  return @env['HTTP_CLIENT_IP'] if @env.include? 'HTTP_CLIENT_IP'

  if @env.include? 'HTTP_X_FORWARDED_FOR' then
    remote_ips = @env['HTTP_X_FORWARDED_FOR'].split(',').reject do |ip|
      ip.strip =~ /^unknown$|^(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\./i
    end

    return remote_ips.first.strip unless remote_ips.empty?
  end

  @env['REMOTE_ADDR']
end