Mercurial > hg > nginx-site
view xml/en/docs/http/ngx_http_realip_module.xml @ 3083:3b5594157fab
Documented max_headers directive.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Fri, 24 May 2024 01:16:29 +0300 |
| parents | 4add6ae1296f |
| children |
line wrap: on
line source
<?xml version="1.0"?> <!-- Copyright (C) Igor Sysoev Copyright (C) Nginx, Inc. --> <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> <module name="Module ngx_http_realip_module" link="/en/docs/http/ngx_http_realip_module.html" lang="en" rev="8"> <section id="summary"> <para> The <literal>ngx_http_realip_module</literal> module is used to change the client address and optional port to those sent in the specified header field. </para> <para> This module is not built by default, it should be enabled with the <literal>--with-http_realip_module</literal> configuration parameter. </para> </section> <section id="example" name="Example Configuration"> <para> <example> set_real_ip_from 192.168.1.0/24; set_real_ip_from 192.168.2.1; set_real_ip_from 2001:0db8::/32; real_ip_header X-Forwarded-For; real_ip_recursive on; </example> </para> </section> <section id="directives" name="Directives"> <directive name="set_real_ip_from"> <syntax> <value>address</value> | <value>CIDR</value> | <literal>unix:</literal></syntax> <default/> <context>http</context> <context>server</context> <context>location</context> <para> Defines trusted addresses that are known to send correct replacement addresses. If the special value <literal>unix:</literal> is specified, all UNIX-domain sockets will be trusted. Trusted addresses may also be specified using a hostname (1.13.1). <note> IPv6 addresses are supported starting from versions 1.3.0 and 1.2.1. </note> </para> </directive> <directive name="real_ip_header"> <syntax> <value>field</value> | <literal>X-Real-IP</literal> | <literal>X-Forwarded-For</literal> | <literal>proxy_protocol</literal></syntax> <default>X-Real-IP</default> <context>http</context> <context>server</context> <context>location</context> <para> Defines the request header field whose value will be used to replace the client address. </para> <para> The request header field value that contains an optional port is also used to replace the client port (1.11.0). The address and port should be specified according to <link url="https://datatracker.ietf.org/doc/html/rfc3986">RFC 3986</link>. </para> <para> The <literal>proxy_protocol</literal> parameter (1.5.12) changes the client address to the one from the PROXY protocol header. The PROXY protocol must be previously enabled by setting the <literal>proxy_protocol</literal> parameter in the <link doc="ngx_http_core_module.xml" id="listen"/> directive. </para> </directive> <directive name="real_ip_recursive"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>1.3.0</appeared-in> <appeared-in>1.2.1</appeared-in> <para> If recursive search is disabled, the original client address that matches one of the trusted addresses is replaced by the last address sent in the request header field defined by the <link id="real_ip_header"/> directive. If recursive search is enabled, the original client address that matches one of the trusted addresses is replaced by the last non-trusted address sent in the request header field. </para> </directive> </section> <section id="variables" name="Embedded Variables"> <para> <list type="tag"> <tag-name id="var_realip_remote_addr"><var>$realip_remote_addr</var></tag-name> <tag-desc> keeps the original client address (1.9.7) </tag-desc> <tag-name id="var_realip_remote_port"><var>$realip_remote_port</var></tag-name> <tag-desc> keeps the original client port (1.11.0) </tag-desc> </list> </para> </section> </module>