=encoding utf-8 =head1 NAME ngx_http_realip_module - Module ngx_http_realip_module =head1 The C module is used to change the client address and optional port to the one sent in the specified header fields. This module is not built by default, it should be enabled with the C<--with-http_realip_module> configuration parameter. =head1 Example Configuration set_real_ip_from 192.168.1.0/24; set_real_ip_from 192.168.2.1; set_real_ip_from 2001:0db8::/32; real_ip_header X-Forwarded-For; real_ip_recursive on; =head1 Directives =head2 set_real_ip_from B set_real_ip_from I< I> E I> E C> B I B I B I Defines trusted addresses that are known to send correct replacement addresses. If the special value C is specified, all UNIX-domain sockets will be trusted. B IPv6 addresses are supported starting from versions 1.3.0 and 1.2.1. =head2 real_ip_header B real_ip_header I< I> E C E C E C> B I B I B I B I Defines the request header field whose value will be used to replace the client address. The C and C parameters may contain an optional port (1.11.0). The address and port should be specified according to L. The C parameter (1.5.12) changes the client address to the one from the PROXY protocol header. The PROXY protocol must be previously enabled by setting the C parameter in the L directive. =head2 real_ip_recursive B real_ip_recursive I E C> B I B I B I B I This directive appeared in version 1.3.0. This directive appeared in version 1.2.1. If recursive search is disabled, the original client address that matches one of the trusted addresses is replaced by the last address sent in the request header field defined by the L directive. If recursive search is enabled, the original client address that matches one of the trusted addresses is replaced by the last non-trusted address sent in the request header field. =head1 Embedded Variables =over =item C<$realip_remote_addr> keeps the original client address (1.9.7) =item C<$realip_remote_port> keeps the original client port (1.11.0) =back