Rework trusted proxies (#5549)

* Rework trusted proxies
Fix https://github.com/FreshRSS/FreshRSS/issues/5502
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226

New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy

New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip.

Current working setups should not observe any significant change.

* Minor whitespace

* Safer trusted sources during install
Rework of https://github.com/FreshRSS/FreshRSS/pull/5358
https://github.com/FreshRSS/FreshRSS/issues/5357

* Minor readme

1 files changed, 12 insertions, 5 deletions

diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf
index 9330a17f4..f3dc6da7c 100644
--- a/Docker/FreshRSS.Apache.conf
+++ b/Docker/FreshRSS.Apache.conf
@@ -1,14 +1,21 @@
 ServerName freshrss.localhost
 Listen 80
 DocumentRoot /var/www/FreshRSS/p/
-RemoteIPHeader X-Forwarded-For
-RemoteIPTrustedProxy 10.0.0.1/8 172.16.0.1/12 192.168.0.1/16
-LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy
-CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy
-ErrorLog /dev/stderr
 AllowEncodedSlashes On
 ServerTokens OS
 TraceEnable Off
+ErrorLog /dev/stderr
+
+# For logging the original user-agent IP instead of proxy IPs:
+<IfModule mod_remoteip.c>
+	# Can be disabled by setting the TRUSTED_PROXY environment variable to 0:
+	RemoteIPHeader X-Forwarded-For
+	# Can be overridden by the TRUSTED_PROXY environment variable:
+	RemoteIPTrustedProxy 10.0.0.1/8 172.16.0.1/12 192.168.0.1/16
+</IfModule>
+
+LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy
+CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy
 
 <IfDefine OIDC_ENABLED>
 	<IfModule !auth_openidc_module>