From b5673885355ca8bb1eec0298896913533eab7d73 Mon Sep 17 00:00:00 2001
From: Thomas NOEL <tnoel@entrouvert.com>
Date: Mon, 13 Apr 2020 23:49:43 +0200
Subject: [PATCH] nginx: add real-ip.conf (#41649)

---
 doc/nginx/conf.d/real-ip.conf | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 doc/nginx/conf.d/real-ip.conf

diff --git a/doc/nginx/conf.d/real-ip.conf b/doc/nginx/conf.d/real-ip.conf
new file mode 100644
index 0000000..ff432bc
--- /dev/null
+++ b/doc/nginx/conf.d/real-ip.conf
@@ -0,0 +1,19 @@
+# /etc/nginx/conf.d/real-ip.conf -- see http://nginx.org/en/docs/http/ngx_http_realip_module.html
+
+# Defines trusted addresses that are known to send correct replacement
+# addresses. Here we trust all RFC1918 hosts (proxies).
+set_real_ip_from  10.0.0.0/8;
+set_real_ip_from  172.16.0.0/12;
+set_real_ip_from  192.168.0.0/16;
+
+# Defines the request header field whose value will be used to replace the
+# client address.
+real_ip_header    X-Forwarded-For;
+
+# If recursive search is disabled, the original client address that matches one
+# of the trusted addresses is replaced by the last address sent in the request
+# header field defined by the real_ip_header directive. If recursive search is
+# enabled, the original client address that matches one of the trusted
+# addresses is replaced by the last non-trusted address sent in the request
+# header field.
+real_ip_recursive on;