conf: realip module

angie/autoconf/http-buffers.conf

@@ -1,4 +1,6 @@
 subrequest_output_buffer_size     16k;
 client_body_buffer_size           16k;
+client_max_body_size              64k;
+
 client_header_buffer_size          4k;
 large_client_header_buffers    8  16k;

angie/autoconf/http-realip.conf.j2

@@ -0,0 +1,5 @@
+{%- set hdr = j2cfg.headers.real_ip_from or 'off' -%}
+{%- if hdr != 'off' %}
+real_ip_header {{ hdr | http_header }};
+{% include 'realip-set-from.j2inc' %}
+{%- endif %}

angie/autoconf/http-request-headers-forwarded.conf

@@ -17,8 +17,6 @@ map $remote_addr
 map $http_forwarded
     $proxy_add_forwarded
 {
-    volatile;
-
     ## if the incoming Forwarded header is syntactically valid, append to it
     "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
 

angie/autoconf/http-server-tokens.conf

@@ -0,0 +1 @@
+server_tokens off;

angie/autoconf/mail-realip.conf.j2

@@ -0,0 +1 @@
+{% include 'realip-set-from.j2inc' %}

angie/autoconf/realip-set-from.j2inc

@@ -0,0 +1,8 @@
+{%- set src = (j2cfg.trusted_sources or []) | any_to_str_list | uniq_str_list | ngx_esc -%}
+{%- if src %}
+  {%- for s in src %}
+set_real_ip_from {{ s }};
+  {%- endfor %}
+{%- else %}
+set_real_ip_from unix: ;
+{%- endif %}

angie/autoconf/stream-realip.conf.j2

@@ -0,0 +1 @@
+{% include 'realip-set-from.j2inc' %}

angie/j2cfg.yml

@@ -58,3 +58,15 @@ tls:
       dhparam: tls/dh1024.pem
       session_tickets: off
       session_timeout: 1d
+
+## well-known values are:
+## - 'off'             - don't use "realip" module
+## - 'proxy_protocol'  - get information from PROXY protocol if listen directive has "proxy_protocol" option
+## - 'X-Forwarded-For' - get information from 'X-Forwarded-For' header
+## - 'X-Real-IP'       - get information from 'X-Real-IP' header
+## any other value will be treated as uncommon (but valid?) header
+real_ip_from: off
+## list of trusted sources to be used in "realip" module
+## ref: https://en.angie.software/angie/docs/configuration/modules/http/http_realip/
+## if empty, defaults to "unix:"
+trusted_sources: []