diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2023-07-30 12:59:18 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2023-07-30 12:59:18 +0200 |
| commit | e7689459f25663e00b4f5814a3608872ff36b582 (patch) | |
| tree | 28a747f685a782fd7aa70dd4211106fe412b774a /docs | |
| parent | 0182d84142fb5f4c9514371f8fc0e6ce3640a6e1 (diff) | |
Rework trusted proxies (#5549)
* Rework trusted proxies
Fix https://github.com/FreshRSS/FreshRSS/issues/5502
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226
New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy
New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip.
Current working setups should not observe any significant change.
* Minor whitespace
* Safer trusted sources during install
Rework of https://github.com/FreshRSS/FreshRSS/pull/5358
https://github.com/FreshRSS/FreshRSS/issues/5357
* Minor readme
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/en/admins/09_AccessControl.md | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/docs/en/admins/09_AccessControl.md b/docs/en/admins/09_AccessControl.md index 870d3a6ad..65f78be4d 100644 --- a/docs/en/admins/09_AccessControl.md +++ b/docs/en/admins/09_AccessControl.md @@ -24,13 +24,15 @@ variable containing the email address of the authenticated user (e.g. `REMOTE_US ## External Authentication -You may also use the `Remote-User` or `X-WebAuth-User` header to integrate with a your reverse-proxy’s authentication. +You may also use the `Remote-User` or `X-WebAuth-User` HTTP headers to integrate with a reverse-proxy’s authentication. To enable this feature, you need to add the IP range (in CIDR notation) of your trusted proxy in the `trusted_sources` configuration option. To allow only one IPv4, you can use a `/32` like this: `trusted_sources => [ '192.168.1.10/32' ]`. Likewise to allow only one IPv6, you can use a `/128` like this: `trusted_sources => [ '::1/128' ]`. -WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access. +You may alternatively pass a `TRUSTED_PROXY` environment variable in a format compatible with [Apache’s `mod_remoteip` `RemoteIPTrustedProxy`](https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy). + +> ☠️ WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access. ## No Authentication |