Mercurial > hg > nginx-site
view xml/en/docs/http/ngx_http_realip_module.xml @ 2846:fdf1464e1977
Moved banner to the external file to make partial rollout possible.
An idea is to have several banners and show them with different probability
specified by split directive in the nginx.conf
author | Sergey Budnevitch <sb@waeme.net> |
---|---|
date | Tue, 10 May 2022 18:07:27 +0400 |
parents | 4add6ae1296f |
children |
line wrap: on
line source
<?xml version="1.0"?> <!-- Copyright (C) Igor Sysoev Copyright (C) Nginx, Inc. --> <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> <module name="Module ngx_http_realip_module" link="/en/docs/http/ngx_http_realip_module.html" lang="en" rev="8"> <section id="summary"> <para> The <literal>ngx_http_realip_module</literal> module is used to change the client address and optional port to those sent in the specified header field. </para> <para> This module is not built by default, it should be enabled with the <literal>--with-http_realip_module</literal> configuration parameter. </para> </section> <section id="example" name="Example Configuration"> <para> <example> set_real_ip_from 192.168.1.0/24; set_real_ip_from 192.168.2.1; set_real_ip_from 2001:0db8::/32; real_ip_header X-Forwarded-For; real_ip_recursive on; </example> </para> </section> <section id="directives" name="Directives"> <directive name="set_real_ip_from"> <syntax> <value>address</value> | <value>CIDR</value> | <literal>unix:</literal></syntax> <default/> <context>http</context> <context>server</context> <context>location</context> <para> Defines trusted addresses that are known to send correct replacement addresses. If the special value <literal>unix:</literal> is specified, all UNIX-domain sockets will be trusted. Trusted addresses may also be specified using a hostname (1.13.1). <note> IPv6 addresses are supported starting from versions 1.3.0 and 1.2.1. </note> </para> </directive> <directive name="real_ip_header"> <syntax> <value>field</value> | <literal>X-Real-IP</literal> | <literal>X-Forwarded-For</literal> | <literal>proxy_protocol</literal></syntax> <default>X-Real-IP</default> <context>http</context> <context>server</context> <context>location</context> <para> Defines the request header field whose value will be used to replace the client address. </para> <para> The request header field value that contains an optional port is also used to replace the client port (1.11.0). The address and port should be specified according to <link url="https://datatracker.ietf.org/doc/html/rfc3986">RFC 3986</link>. </para> <para> The <literal>proxy_protocol</literal> parameter (1.5.12) changes the client address to the one from the PROXY protocol header. The PROXY protocol must be previously enabled by setting the <literal>proxy_protocol</literal> parameter in the <link doc="ngx_http_core_module.xml" id="listen"/> directive. </para> </directive> <directive name="real_ip_recursive"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>1.3.0</appeared-in> <appeared-in>1.2.1</appeared-in> <para> If recursive search is disabled, the original client address that matches one of the trusted addresses is replaced by the last address sent in the request header field defined by the <link id="real_ip_header"/> directive. If recursive search is enabled, the original client address that matches one of the trusted addresses is replaced by the last non-trusted address sent in the request header field. </para> </directive> </section> <section id="variables" name="Embedded Variables"> <para> <list type="tag"> <tag-name id="var_realip_remote_addr"><var>$realip_remote_addr</var></tag-name> <tag-desc> keeps the original client address (1.9.7) </tag-desc> <tag-name id="var_realip_remote_port"><var>$realip_remote_port</var></tag-name> <tag-desc> keeps the original client port (1.11.0) </tag-desc> </list> </para> </section> </module>