--- /dev/null
+# RFC 7239 Forwarded header for Nginx proxy_pass
+
+# Add within your server or location block:
+# proxy_set_header forwarded "$proxy_forwarded;secret=\"YOUR SECRET\"";
+
+# Configure your upstream web server to identify this proxy by that password
+# because otherwise anyone on the Internet could spoof these headers and fake
+# their real IP address and other information to your service.
+
+
+# Provide the full proxy chain in $proxy_forwarded
+map $proxy_add_forwarded $proxy_forwarded {
+ default "$proxy_add_forwarded;by=\"_$hostname\";proto=$scheme;host=\"$http_host\";path=\"$request_uri\"";
+}
+
+# The following mappings are based on
+# https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
+
+map $remote_addr $proxy_forwarded_elem {
+ # IPv4 addresses can be sent as-is
+ ~^[0-9.]+$ "for=$remote_addr";
+
+ # IPv6 addresses need to be bracketed and quoted
+ ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
+
+ # Unix domain socket names cannot be represented in RFC 7239 syntax
+ default "for=unknown";
+}
+
+map $http_forwarded $proxy_add_forwarded {
+ # If the incoming Forwarded header is syntactically valid, append to it
+ "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+
+ # Otherwise, replace it
+ default "$proxy_forwarded_elem";
+}
+
projects / nutratech / vps-root.git / commitdiff