Customized version of FreshRSS, a self-hosted RSS feed aggregator https://git.rdnlsmith.com/fresh-rss-custom/atom?h=1.22.1 2023-10-25T14:23:03+00:00 2023-10-25T14:23:03+00:00 Mossroy mossroy@mossroy.fr 2023-10-25T14:23:03+00:00 urn:sha1:5374df384a032e91f09d53291c879ee19da99714 * Use RemoteIPInternalProxy directive of remoteip Apache module instead of RemoteIPTrustedProxy directive To allow internal IPs to be trusted: for internal clients, and also for the case of chained internal reverse-proxies Fixes #5726 * One last reference forgotten --------- Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr> 2023-07-30T10:59:18+00:00 Alexandre Alapetite alexandre@alapetite.fr 2023-07-30T10:59:18+00:00 urn:sha1:e7689459f25663e00b4f5814a3608872ff36b582 * Rework trusted proxies Fix https://github.com/FreshRSS/FreshRSS/issues/5502 Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226 New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip. Current working setups should not observe any significant change. * Minor whitespace * Safer trusted sources during install Rework of https://github.com/FreshRSS/FreshRSS/pull/5358 https://github.com/FreshRSS/FreshRSS/issues/5357 * Minor readme 2023-07-16T12:50:42+00:00 otaconix stefanhetzwaantje@gmail.com 2023-07-16T12:50:42+00:00 urn:sha1:a066be93b0dbb70ead9b7ab758c332b764b98400 * Add OIDC_X_FORWARDED_HEADERS environment variable (fixes #5516) The mod_auth_oidc needs an additional directive (`OIDCXForwardedHeaders`) in case FreshRSS is running behind a reverse proxy, so it knows what host, protocol and port were used to access it. This information is then used in the `redirect_uri` when directing the user agent (browser) to the identity provider for authentication. Please note that, if you are running FreshRSS behind a reverse proxy that handles TLS, you may need to update your identity provider's configuration so it accepts `https://...` as a `redirect_uri`. * Add link to mod_auth_openidc's documentation for the OIDCXForwardedHeaders Apache configuration directive * Minor spelling --------- Co-authored-by: Stefan Zwanenburg <stefan@zwanenburg.info> Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr> 2023-06-30T10:58:20+00:00 otaconix stefanhetzwaantje@gmail.com 2023-06-30T10:58:20+00:00 urn:sha1:fc579bd2bc5406abcaa9f8dfffe4232a2e256116 * Allow choosing the OIDC remote user claim and scopes to request from the identity provider * Added comment to explain how checking whether an environment variable is set is done * Use apostrophe's instead of single quotes for verb contractions in docs * Move variables used for checking presence of environment variables inside IfDefine block 2023-06-12T08:22:46+00:00 Aaron Schif aaronschif@gmail.com 2023-06-12T08:22:46+00:00 urn:sha1:58b254f9cb923d5d0dfe53df4bca8a0f00bbcf0b * Add OIDC * Update documentation. * Update apache conf adding IfModule * Use IfDefine for OIDC in apache conf * Fix non-oidc support * Fix typing * Use IfDefine to enable OIDC * Add OIDC support to all dockerfiles * Re add apache Require option * Fixes and documentation * A few more fixes * A bit more doc * Change type of environment variable * Update readme * Correct apache config for OIDC support. * Fix README formatting * Update oidc control path * Fix oidc endpoint being cached * A bit more review * Simplify ExpiresActive * Add session refresh and improve caching * Allow more different setups * A bit more documentation * A bit more readme --------- Co-authored-by: Aaron Schif <aschif@netdevgroup.com> Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr> Co-authored-by: maTh <math-home@web.de> 2023-03-26T19:50:27+00:00 Rufubi 122667207+Rufubi@users.noreply.github.com 2023-03-26T19:50:27+00:00 urn:sha1:96048564822186ea5c217f0b6419364c6f5ae00f * Listen for IPv6 connections * Added information about LISTEN6 variable * Make LISTEN variable a comma-separated list of values * Removed debug commands * Revert changes --------- Co-authored-by: Rufubi <> 2023-01-11T22:27:14+00:00 Alexandre Alapetite alexandre@alapetite.fr 2023-01-11T22:27:14+00:00 urn:sha1:075cf4c800063e3cc65c3d41a9c23222e8ebb554 * API avoid logging passwords * Strip passwords and tokens from API logs * Only log failed requests information when in debug mode * Remove debug SHA * Clean also Apache logs * Better comments * Redact also token parameters * shfmt * Simplify whitespace * redacted 2022-11-16T22:27:45+00:00 Alexandre Alapetite alexandre@alapetite.fr 2022-11-16T22:27:45+00:00 urn:sha1:e1b2f6ae1370111ca273e77c1fc7c5df3b11a2ec I have just received an e-mail with a security concern. Although most likely an obsolete concern (old browsers with Java applets), and the Apache team saying that there is no problem, let's disable the TRACE method by default in our Docker images until we hear anybody actually wanting this feature. https://httpd.apache.org/docs/current/mod/core.html#traceenable https://owasp.org/www-community/attacks/Cross_Site_Tracing 2021-12-20T19:46:41+00:00 Alexandre Alapetite alexandre@alapetite.fr 2021-12-20T19:46:41+00:00 urn:sha1:816f4178dc2852f47c0d5d81cd8c665d7e48c731 Related to https://github.com/FreshRSS/FreshRSS/issues/4073 In our Docker configuration, `.htaccess` files are included only once at startup. The one for themes was missing. 2020-10-21T22:04:10+00:00 Alexandre Alapetite alexandre@alapetite.fr 2020-10-21T22:04:10+00:00 urn:sha1:e0b80e82e2d32d7e2827587df502360a2d4b9e14 #fix https://github.com/FreshRSS/FreshRSS/issues/3233 In Alpine, we need to enable mod_logio.c to use %O. Revert to more standard %b https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#logformat