Opened 13 years ago

Closed 12 years ago

Last modified 12 years ago

#44 closed enhancement (fixed)

IPv6 support for HTTP realip module

Reported by: anaconda Owned by: Ruslan Ermilov
Priority: minor Milestone:
Component: nginx-module Version: 1.1.x
Keywords: HttpRealIpModule patch Cc:
uname -a: Linux yoda.techtemple.org 2.6.35.14-96.fc14.x86_64 #1 SMP Thu Sep 1 11:59:56 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx: nginx version: nginx/1.1.6
nginx: built by gcc 4.5.1 20100924 (Red Hat 4.5.1-4) (GCC)
nginx: TLS SNI support enabled
nginx: configure arguments: --user=nginx --group=nginx --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --with-http_ssl_module --with-http_dav_module --with-http_realip_module --with-http_gzip_static_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=-Wl,-E --add-module=/var/r/ng/nginx/modules/nginx-dynamic-etags --add-module=/var/r/ng/nginx/modules/nginx-fancyindex

Description

The attached patch, based on r4232, implements IPv6 support for the realip HTTP module (set_real_ip_from).

Attachments (1)

nginx-realip-ipv6.patch (4.5 KB ) - added by anaconda 13 years ago.

Download all attachments as: .zip

Change History (4)

by anaconda, 13 years ago

Attachment: nginx-realip-ipv6.patch added

comment:1 by Ruslan Ermilov, 12 years ago

Owner: changed from somebody to Ruslan Ermilov
Status: newassigned

comment:2 by Ruslan Ermilov, 12 years ago

Resolution: fixed
Status: assignedclosed

In [4625/nginx]:

realip: chains of trusted proxies and IPv6 support.

The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "real_ip_recursive"
directive (closes #2). It also gets full IPv6 support (closes #44)
and canonical value of the $client_addr variable on address change.

Example:

real_ip_header X-Forwarded-For;
set_real_ip_from 127.0.0.0/8;
set_real_ip_from ::1;
set_real_ip_from unix:;
real_ip_recursive on;

comment:3 by Maxim Dounin, 12 years ago

In [4669/nginx]:

Merge of r4614, r4624-r4629, r4631: proxy recursive changes.

*) Added IPv6 and UNIX-domain socket support in "debug_connection"

directive.


*) New function ngx_http_get_forwarded_addr() to look up real client

address.

On input it takes an original address, string in the X-Forwarded-For format
and its length, list of trusted proxies, and a flag indicating to perform
the recursive search. On output it returns NGX_OK and the "deepest" valid
address in a chain, or NGX_DECLINED. It supports AF_INET and AF_INET6.
Additionally, original address and/or proxy may be specified as AF_UNIX.


*) Realip: chains of trusted proxies and IPv6 support.

The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "real_ip_recursive"
directive (closes #2). It also gets full IPv6 support (closes #44)
and canonical value of the $client_addr variable on address change.


Example:

real_ip_header X-Forwarded-For;
set_real_ip_from 127.0.0.0/8;
set_real_ip_from ::1;
set_real_ip_from unix:;
real_ip_recursive on;

*) Geo: chains of trusted proxies and partial IPv6 support.

The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "proxy_recursive"
directive in the "geo" block. It also gets partial IPv6 support:
now proxies may be specified with IPv6 addresses.

Example:

geo $test {

...
proxy 127.0.0.1;
proxy ::1;
proxy_recursive;

}

There's also a slight change in behavior. When original client
address (as specified by the "geo" directive) is one of the
trusted proxies, and the value of the X-Forwarded-For request
header cannot not be parsed as a valid address, an original client
address will be used for lookup. Previously, 255.255.255.255 was
used in this case.

*) Geoip: trusted proxies support and partial IPv6 support.

The module now supports recursive search of client address through the
chain of trusted proxies (closes #100), in the same scope as the geo
module. Proxies are listed by the "geoip_proxy" directive, recursive
search is enabled by the "geoip_proxy_recursive" directive. IPv6 is
partially supported: proxies may be specified with IPv6 addresses.

Example:

geoip_country .../GeoIP.dat;
geoip_proxy 127.0.0.1;
geoip_proxy ::1;
geoip_proxy 10.0.0.0/8;
geoip_proxy_recursive on;

Note: See TracTickets for help on using tickets.