nginx-site: xml/en/docs/http/ngx_http_proxy

Documented the "CAP_NET_RAW" capability for transparent proxying.

author	Yaroslav Zhuravlev <yar@nginx.com>
date	Tue, 26 Dec 2017 15:28:53 +0300
parents	fc3ba2e76974
children	ca7568f67dee

comparison

equal deleted inserted replaced

-:70c1e798a5c2
+:a9a9a052b5bd
 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">
 <module name="Module ngx_http_proxy_module"
 link="/en/docs/http/ngx_http_proxy_module.html"
 lang="en"
-rev="63">
+rev="64">
 <section id="summary">
 <para>
 The <literal>ngx_http_proxy_module</literal> module allows passing
 for example, from a real IP address of a client:
 <example>
 proxy_bind $remote_addr transparent;
 </example>
 In order for this parameter to work,
-it is necessary to run nginx worker processes with the
+it is usually necessary to run nginx worker processes with the
-<link doc="../ngx_core_module.xml" id="user">superuser</link> privileges
+<link doc="../ngx_core_module.xml" id="user">superuser</link> privileges.
-and configure kernel routing table
+On Linux it is not required (1.13.8) as if
+the <literal>transparent</literal> parameter is specified, worker processes
+inherit the <literal>CAP_NET_RAW</literal> capability from the master process.
+It is also necessary to configure kernel routing table
 to intercept network traffic from the proxied server.
 </para>
 </directive>

Mercurial > hg > nginx-site