The issue was that Rails thinks any 192.168.x.x
address is a private address, so strips them from the X-Forwarded_For
header.
# IP addresses that are "trusted proxies" that can be stripped from
# the comma-delimited list in the X-Forwarded-For header. See also:
# http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
TRUSTED_PROXIES = %r{
^127\.0\.0\.1$ | # localhost
^(10 | # private IP 10.x.x.x
172\.(1[6-9]|2[0-9]|3[0-1]) | # private IP in the range 172.16.0.0 .. 172.31.255.255
192\.168 # private IP 192.168.x.x
)\.
}x
See the relevant Rails source here and here.
One solution is to add this to your config/application.rb
:
config.action_dispatch.trusted_proxies = /^127\.0\.0\.1$/ # localhost
That way, IPs on your local network will not be replaced by '127.0.0.1'.