I noticed this issue as soon as I first encountered this embedding feature. After hearing that linux.do was attacked and taken down today, I felt compelled to document it here.
Discourse’s embedding (Onebox) feature sends several requests to the target website to check the site’s availability and whether it supports embedding. A sample log entry looks like this:
172.247.244.194 - "GET / HTTP/1.1" 304 0 "-" "Discourse Forum Onebox v3.3.0.beta3-dev"
In this entry, 172.247.244.194 is your server’s IP address.
Countermeasures:
If your origin site is robust enough and you do not mind your IP being leaked, you can simply ignore this issue.
If you need to hide your origin site’s IP, search for onebox in your admin backend settings, disable enable inline onebox on all domains and configure allowed internal hosts to only include the domain names you trust. This prevents your origin site’s IP from being leaked, at the cost of embedding not working for all other domains.
