Module ngx_http_realip

Module ngx_http_realip_module

english
русский

简体中文
עברית
日本語
türkçe

news
about
download
security advisories
documentation
pgp keys
faq
links
books
support
donation

trac
wiki
twitter
nginx.com

Example Configuration
Directives
     set_real_ip_from
     real_ip_header
     real_ip_recursive

The ngx_http_realip_module module allows to change the client address to the one sent in the specified header field.

This module is not built by default, it should be enabled with the --with-http_realip_module configuration parameter.

Example Configuration

set_real_ip_from  192.168.1.0/24;
set_real_ip_from  192.168.2.1;
set_real_ip_from  2001:0db8::/32;
real_ip_header    X-Forwarded-For;
real_ip_recursive on;

Directives

syntax:	`set_real_ip_from address \| CIDR \| unix:;`
default:	—
context:	`http`, `server`, `location`

Defines trusted addresses that are known to send correct replacement addresses. If the special value unix: is specified, all UNIX-domain sockets will be trusted.

IPv6 addresses are supported starting from versions 1.3.0 and 1.2.1.

syntax:	`real_ip_header field \| X-Real-IP \| X-Forwarded-For;`
default:	real_ip_header X-Real-IP;
context:	`http`, `server`, `location`

Defines a request header field used to send the address for a replacement.

syntax:	`real_ip_recursive on \| off;`
default:	real_ip_recursive off;
context:	`http`, `server`, `location`

This directive appeared in versions 1.3.0 and 1.2.1.

If recursive search is disabled, the original client address that matches one of the trusted addresses is replaced by the last address sent in the request header field defined by the real_ip_header directive. If recursive search is enabled, the original client address that matches one of the trusted addresses is replaced by the last non-trusted address sent in the request header field.