Rework trusted proxies (#5549)

* Rework trusted proxies Fix https://github.com/FreshRSS/FreshRSS/issues/5502 Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226 New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip. Current working setups should not observe any significant change. * Minor whitespace * Safer trusted sources during install Rework of https://github.com/FreshRSS/FreshRSS/pull/5358 https://github.com/FreshRSS/FreshRSS/issues/5357 * Minor readme
author: Alexandre Alapetite <alexandre@alapetite.fr> 2023-07-30 12:59:18 +0200
committer: GitHub <noreply@github.com> 2023-07-30 12:59:18 +0200
commit: e7689459f25663e00b4f5814a3608872ff36b582 (patch)
tree: 28a747f685a782fd7aa70dd4211106fe412b774a /Docker
parent: 0182d84142fb5f4c9514371f8fc0e6ce3640a6e1 (diff)
10 files changed, 38 insertions, 6 deletions
diff --git a/Docker/Dockerfile b/Docker/Dockerfile
index 4b6979993..239a0e067 100644
--- a/Docker/Dockerfile
+++ b/Docker/Dockerfile
@@ -58,6 +58,7 @@ ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
 ENV OIDC_ENABLED ''
+ENV TRUSTED_PROXY ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
diff --git a/Docker/Dockerfile-Alpine b/Docker/Dockerfile-Alpine
index 59142384c..1da380f81 100644
--- a/Docker/Dockerfile-Alpine
+++ b/Docker/Dockerfile-Alpine
@@ -54,6 +54,7 @@ ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
 ENV OIDC_ENABLED ''
+ENV TRUSTED_PROXY ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
diff --git a/Docker/Dockerfile-Newest b/Docker/Dockerfile-Newest
index 8c2d6eb71..c5615b512 100644
--- a/Docker/Dockerfile-Newest
+++ b/Docker/Dockerfile-Newest
@@ -57,6 +57,7 @@ ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
 ENV OIDC_ENABLED ''
+ENV TRUSTED_PROXY ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
diff --git a/Docker/Dockerfile-Oldest b/Docker/Dockerfile-Oldest
index 88d02b512..22b9cec21 100644
--- a/Docker/Dockerfile-Oldest
+++ b/Docker/Dockerfile-Oldest
@@ -56,6 +56,7 @@ ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
 ENV OIDC_ENABLED ''
+ENV TRUSTED_PROXY ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
diff --git a/Docker/Dockerfile-QEMU-ARM b/Docker/Dockerfile-QEMU-ARM
index 58459cf37..48ce56345 100644
--- a/Docker/Dockerfile-QEMU-ARM
+++ b/Docker/Dockerfile-QEMU-ARM
@@ -70,6 +70,7 @@ ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
 ENV OIDC_ENABLED ''
+ENV TRUSTED_PROXY ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf
index 9330a17f4..f3dc6da7c 100644
--- a/Docker/FreshRSS.Apache.conf
+++ b/Docker/FreshRSS.Apache.conf
@@ -1,14 +1,21 @@
 ServerName freshrss.localhost
 Listen 80
 DocumentRoot /var/www/FreshRSS/p/
-RemoteIPHeader X-Forwarded-For
-RemoteIPTrustedProxy 10.0.0.1/8 172.16.0.1/12 192.168.0.1/16
-LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy
-CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy
-ErrorLog /dev/stderr
 AllowEncodedSlashes On
 ServerTokens OS
 TraceEnable Off
+ErrorLog /dev/stderr
+
+# For logging the original user-agent IP instead of proxy IPs:
+<IfModule mod_remoteip.c>
+	# Can be disabled by setting the TRUSTED_PROXY environment variable to 0:
+	RemoteIPHeader X-Forwarded-For
+	# Can be overridden by the TRUSTED_PROXY environment variable:
+	RemoteIPTrustedProxy 10.0.0.1/8 172.16.0.1/12 192.168.0.1/16
+</IfModule>
+
+LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy
+CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy
 
 <IfDefine OIDC_ENABLED>
 	<IfModule !auth_openidc_module>
diff --git a/Docker/README.md b/Docker/README.md
index 1fbc9634c..ffd1fc2d2 100644
--- a/Docker/README.md
+++ b/Docker/README.md
@@ -330,6 +330,13 @@ services:
       FRESHRSS_ENV: development
       # Optional advanced parameter controlling the internal Apache listening port
       LISTEN: 0.0.0.0:80
+      # Optional parameter, remove for automatic settings, set to 0 to disable,
+	  # or (if you use a proxy) to a space-separated list of trusted IP ranges
+      # compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy
+      # This impacts which IP address is logged (X-Forwarded-For or REMOTE_ADDR).
+      # This also impacts external authentication methods;
+      # see https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html
+      TRUSTED_PROXY: 172.16.0.1/12 192.168.0.1/16
       # Optional parameter, set to 1 to enable OpenID Connect (only available in our Debian image)
       # Requires more environment variables. See https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html
       OIDC_ENABLED: 0
diff --git a/Docker/entrypoint.sh b/Docker/entrypoint.sh
index 1b25026b5..6cb5a49b4 100755
--- a/Docker/entrypoint.sh
+++ b/Docker/entrypoint.sh
@@ -11,6 +11,16 @@ if [ -n "$LISTEN" ]; then
 	find /etc/apache2/ -type f -name FreshRSS.Apache.conf -exec sed -r -i "\\#^Listen#s#^.*#Listen $LISTEN#" {} \;
 fi
 
+if [ -n "$TRUSTED_PROXY" ]; then
+	if [ "$TRUSTED_PROXY" -eq 0 ]; then
+		# Disable RemoteIPHeader and RemoteIPTrustedProxy
+		find /etc/apache2/ -type f -name FreshRSS.Apache.conf -exec sed -r -i "/^\s*RemoteIP.*$/s/^/#/" {} \;
+	else
+		# Custom list for RemoteIPTrustedProxy
+		find /etc/apache2/ -type f -name FreshRSS.Apache.conf -exec sed -r -i "\\#^\s*RemoteIPTrustedProxy#s#^.*#\tRemoteIPTrustedProxy $TRUSTED_PROXY#" {} \;
+	fi
+fi
+
 if [ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ]; then
 	a2enmod -q auth_openidc
 fi
diff --git a/Docker/freshrss/docker-compose-proxy.yml b/Docker/freshrss/docker-compose-proxy.yml
index 980e45e67..9b4846bce 100644
--- a/Docker/freshrss/docker-compose-proxy.yml
+++ b/Docker/freshrss/docker-compose-proxy.yml
@@ -7,7 +7,7 @@ volumes:
 services:
 
   traefik:
-    image: traefik:2.6
+    image: traefik:2.10
     container_name: traefik
     restart: unless-stopped
     logging:
@@ -42,6 +42,8 @@ services:
       - traefik.enable=false
 
   freshrss:
+    environment:
+      TRUSTED_PROXY: 172.16.0.1/12
     labels:
       - traefik.enable=true
       - traefik.http.middlewares.freshrssM1.compress=true
diff --git a/Docker/freshrss/docker-compose.yml b/Docker/freshrss/docker-compose.yml
index b8956bca5..7eb23fe9c 100644
--- a/Docker/freshrss/docker-compose.yml
+++ b/Docker/freshrss/docker-compose.yml
@@ -25,3 +25,4 @@ services:
     environment:
       TZ: Europe/Paris
       CRON_MIN: '3,33'
+      TRUSTED_PROXY: 172.16.0.1/12 192.168.0.1/16
author	Alexandre Alapetite <alexandre@alapetite.fr>	2023-07-30 12:59:18 +0200
committer	GitHub <noreply@github.com>	2023-07-30 12:59:18 +0200
commit	e7689459f25663e00b4f5814a3608872ff36b582 (patch)
tree	28a747f685a782fd7aa70dd4211106fe412b774a /Docker
parent	0182d84142fb5f4c9514371f8fc0e6ce3640a6e1 (diff)