Path: blob/main/xml/en/docs/http/ngx_http_realip_module.xml
1 views
<?xml version="1.0"?>12<!--3Copyright (C) Igor Sysoev4Copyright (C) Nginx, Inc.5-->67<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">89<module name="Module ngx_http_realip_module"10link="/en/docs/http/ngx_http_realip_module.html"11lang="en"12rev="8">1314<section id="summary">1516<para>17The <literal>ngx_http_realip_module</literal> module is used18to change the client address and optional port19to those sent in the specified header field.20</para>2122<para>23This module is not built by default, it should be enabled with the24<literal>--with-http_realip_module</literal>25configuration parameter.26</para>2728</section>293031<section id="example" name="Example Configuration">3233<para>34<example>35set_real_ip_from 192.168.1.0/24;36set_real_ip_from 192.168.2.1;37set_real_ip_from 2001:0db8::/32;38real_ip_header X-Forwarded-For;39real_ip_recursive on;40</example>41</para>4243</section>444546<section id="directives" name="Directives">4748<directive name="set_real_ip_from">49<syntax>50<value>address</value> |51<value>CIDR</value> |52<literal>unix:</literal></syntax>53<default/>54<context>http</context>55<context>server</context>56<context>location</context>5758<para>59Defines trusted addresses that are known to send correct60replacement addresses.61If the special value <literal>unix:</literal> is specified,62all UNIX-domain sockets will be trusted.63Trusted addresses may also be specified using a hostname (1.13.1).64<note>65IPv6 addresses are supported starting from versions 1.3.0 and 1.2.1.66</note>67</para>6869</directive>707172<directive name="real_ip_header">73<syntax>74<value>field</value> |75<literal>X-Real-IP</literal> |76<literal>X-Forwarded-For</literal> |77<literal>proxy_protocol</literal></syntax>78<default>X-Real-IP</default>79<context>http</context>80<context>server</context>81<context>location</context>8283<para>84Defines the request header field85whose value will be used to replace the client address.86</para>8788<para>89The request header field value that contains an optional port90is also used to replace the client port (1.11.0).91The address and port should be specified according to92<link url="https://datatracker.ietf.org/doc/html/rfc3986">RFC 3986</link>.93</para>9495<para>96The <literal>proxy_protocol</literal> parameter (1.5.12) changes97the client address to the one from the PROXY protocol header.98The PROXY protocol must be previously enabled by setting the99<literal>proxy_protocol</literal> parameter100in the <link doc="ngx_http_core_module.xml" id="listen"/> directive.101</para>102103</directive>104105106<directive name="real_ip_recursive">107<syntax><literal>on</literal> | <literal>off</literal></syntax>108<default>off</default>109<context>http</context>110<context>server</context>111<context>location</context>112<appeared-in>1.3.0</appeared-in>113<appeared-in>1.2.1</appeared-in>114115<para>116If recursive search is disabled, the original client address that117matches one of the trusted addresses is replaced by the last118address sent in the request header field defined by the119<link id="real_ip_header"/> directive.120If recursive search is enabled, the original client address that121matches one of the trusted addresses is replaced by the last122non-trusted address sent in the request header field.123</para>124125</directive>126127</section>128129130<section id="variables" name="Embedded Variables">131132<para>133<list type="tag">134135<tag-name id="var_realip_remote_addr"><var>$realip_remote_addr</var></tag-name>136<tag-desc>137keeps the original client address (1.9.7)138</tag-desc>139140<tag-name id="var_realip_remote_port"><var>$realip_remote_port</var></tag-name>141<tag-desc>142keeps the original client port (1.11.0)143</tag-desc>144145</list>146</para>147148</section>149150</module>151152153