real_ip_recursive
The `real_ip_recursive` directive enables recursive replacement of the client IP address from trusted proxies in NGINX.
Description
The real_ip_recursive directive instructs NGINX to look recursively through a list of trusted addresses for the real client IP when the X-Forwarded-For or X-Real-IP headers are present. This is particularly useful in a situation where multiple proxies are used, allowing NGINX to retrieve the originating IP address of the client. When enabled, if the header contains multiple IP addresses, NGINX will parse them and determine the client’s actual IP based on its configuration of trusted proxies.
When setting the real_ip_recursive directive to 'on', NGINX will check the header values against the specified trusted addresses and will replace the client's real IP only if it matches one of those addresses. Conversely, if the directive is set to 'off', NGINX will only use the immediate client IP address, ignoring further processing through additional proxies. This behavior is crucial in ensuring that access controls and logging accurately reflect the true client origin in distributed architectures such as load-balanced environments.
Config Example
http {
set_real_ip_from 192.168.1.0/24;
real_ip_recursive on;
}Ensure that the trusted IP addresses are correctly configured using set_real_ip_from. Improper configuration can lead to clients' IP being incorrectly identified.
In environments with multiple proxies, failing to enable this directive can result in the wrong IP being logged or used for access control.