What is the purpose of ActionController::Rescue::local_request? returning true for 127.0.0.1 in a production environment? If you something like... Apache -> Lighttpd on 127.0.0.1:8080 then you get development style error pages... Personally I feel a lot more secure knowing that someone can''t find the port that an app server is running on and go straight at it bypassing Apache running mod_security... Is the idea that you could wget from the 127.0.0.1 on a production box to see what an error is? If that is the case, can''t you just get the info from the production.log _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
David Heinemeier Hansson
2005-May-20 12:20 UTC
Re: ActionController::Rescue::local_request?
> Is the idea that you could wget from the 127.0.0.1 on a production > box to see what an error is?The idea is that you can keep one code base for both development and production. So in development you''re getting in from 127.0.0.1 and see the debugging screens. From production you don''t usually come from localhost, so it''s not a problem. But your setup obviously makes it a problem, but its very easily solvable. In application.rb, just do def local_request? false end Problem solved. -- David Heinemeier Hansson http://www.loudthinking.com -- Broadcasting Brain http://www.basecamphq.com -- Online project management http://www.backpackit.com -- Personal information manager http://www.rubyonrails.com -- Web-application framework
David Heinemeier Hansson wrote:>> Is the idea that you could wget from the 127.0.0.1 on a production >> box to see what an error is? > > > The idea is that you can keep one code base for both development and > production. So in development you''re getting in from 127.0.0.1 and > see the debugging screens. From production you don''t usually come > from localhost, so it''s not a problem. > > But your setup obviously makes it a problem, but its very easily > solvable. In application.rb, just do > > def local_request? > false > end > > Problem solved. > --I had already put it in environments/production.rb so I don''t lose it in development mode and still can have the debuggins screens... my question still is... when under the scenario that was obviously envisioned here would you come in from localhost when in production mode? I can''t wrap my head around what advantage you get for making 127.0.0.1 drop into a development style mode when you are running in production mode. Isn''t the same info available in the production log? Is the idea you could set breakpoints to diagnose a problem on a production machine with having to switch to a development one? Your above example removes the ability to have one code base for development and production as it makes everything production in the scenario I originally described ( or for that matter in any scenario where some installs said code... ) I keep trying to understand the thinking... feel like I''m missing out on something here... like there is a cool hidden feature to this that I''m not grasping... _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails