Mercurial > hg > nginx-site
diff xml/en/docs/stream/ngx_stream_realip_module.xml @ 1779:ee56773d44e8
Documented ngx_stream_realip_module.
| author | Yaroslav Zhuravlev <yar@nginx.com> |
|---|---|
| date | Tue, 13 Sep 2016 16:14:00 +0300 |
| parents | xml/en/docs/http/ngx_http_realip_module.xml@f855acbd0a94 |
| children |
line wrap: on
line diff
copy from xml/en/docs/http/ngx_http_realip_module.xml copy to xml/en/docs/stream/ngx_stream_realip_module.xml --- a/xml/en/docs/http/ngx_http_realip_module.xml +++ b/xml/en/docs/stream/ngx_stream_realip_module.xml @@ -1,28 +1,30 @@ <?xml version="1.0"?> <!-- - Copyright (C) Igor Sysoev Copyright (C) Nginx, Inc. --> <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> -<module name="Module ngx_http_realip_module" - link="/en/docs/http/ngx_http_realip_module.html" +<module name="Module ngx_stream_realip_module" + link="/en/docs/stream/ngx_stream_realip_module.html" lang="en" - rev="5"> + rev="1"> <section id="summary"> <para> -The <literal>ngx_http_realip_module</literal> module is used -to change the client address and optional port -to the one sent in the specified header fields. +The <literal>ngx_stream_realip_module</literal> module is used +to change the client address and port +to the ones sent in the PROXY protocol header (1.11.4). +The PROXY protocol must be previously enabled by setting the +<link doc="ngx_stream_core_module.xml" id="proxy_protocol"/> parameter +in the <literal>listen</literal> directive. </para> <para> This module is not built by default, it should be enabled with the -<literal>--with-http_realip_module</literal> +<literal>--with-stream_realip_module</literal> configuration parameter. </para> @@ -33,11 +35,11 @@ configuration parameter. <para> <example> +listen 12345 proxy_protocol; + set_real_ip_from 192.168.1.0/24; set_real_ip_from 192.168.2.1; set_real_ip_from 2001:0db8::/32; -real_ip_header X-Forwarded-For; -real_ip_recursive on; </example> </para> @@ -52,74 +54,14 @@ real_ip_recursive on; <value>CIDR</value> | <literal>unix:</literal></syntax> <default/> -<context>http</context> +<context>stream</context> <context>server</context> -<context>location</context> <para> Defines trusted addresses that are known to send correct replacement addresses. If the special value <literal>unix:</literal> is specified, all UNIX-domain sockets will be trusted. -<note> -IPv6 addresses are supported starting from versions 1.3.0 and 1.2.1. -</note> -</para> - -</directive> - - -<directive name="real_ip_header"> -<syntax> - <value>field</value> | - <literal>X-Real-IP</literal> | - <literal>X-Forwarded-For</literal> | - <literal>proxy_protocol</literal></syntax> -<default>X-Real-IP</default> -<context>http</context> -<context>server</context> -<context>location</context> - -<para> -Defines the request header field -whose value will be used to replace the client address. -</para> - -<para> -The <literal>X-Real-IP</literal> and <literal>X-Forwarded-For</literal> -parameters may contain an optional port (1.11.0). -The address and port should be specified according to -<link url="http://tools.ietf.org/html/3986">RFC 3986</link>. -</para> - -<para> -The <literal>proxy_protocol</literal> parameter (1.5.12) changes -the client address to the one from the PROXY protocol header. -The PROXY protocol must be previously enabled by setting the -<literal>proxy_protocol</literal> parameter -in the <link doc="ngx_http_core_module.xml" id="listen"/> directive. -</para> - -</directive> - - -<directive name="real_ip_recursive"> -<syntax><literal>on</literal> | <literal>off</literal></syntax> -<default>off</default> -<context>http</context> -<context>server</context> -<context>location</context> -<appeared-in>1.3.0</appeared-in> -<appeared-in>1.2.1</appeared-in> - -<para> -If recursive search is disabled, the original client address that -matches one of the trusted addresses is replaced by the last -address sent in the request header field defined by the -<link id="real_ip_header"/> directive. -If recursive search is enabled, the original client address that -matches one of the trusted addresses is replaced by the last -non-trusted address sent in the request header field. </para> </directive> @@ -134,12 +76,12 @@ non-trusted address sent in the request <tag-name id="var_realip_remote_addr"><var>$realip_remote_addr</var></tag-name> <tag-desc> -keeps the original client address (1.9.7) +keeps the original client address </tag-desc> <tag-name id="var_realip_remote_port"><var>$realip_remote_port</var></tag-name> <tag-desc> -keeps the original client port (1.11.0) +keeps the original client port </tag-desc> </list>