diff options
| author |  drosoCode <44530920+drosoCode@users.noreply.github.com>
| 2022-04-02 21:40:30 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2022-04-02 21:40:30 +0200 |
| commit | 2aba861bc983555faf6dd96c5daa4e40e5328c54 (patch) | |
| tree | 68d63f76d0ce79e06cb3cabaaaeb3cd82849c175 /docs | |
| parent | 191abf5ba541107c5a1c5f14202b99e17bee2074 (diff) | |
Add HTTP_REMOTE_USER header for auth (#4063)
* add HTTP_REMOTE_USER header for auth
* add ip whitelist for HTTP_REMOTE_USER header
* add IPv6 support for header auth
* fix formatting
* A few fixes
* Add some default trusted sources
* Fix IPv6 doc
* More standard header names
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/en/admins/09_AccessControl.md | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/docs/en/admins/09_AccessControl.md b/docs/en/admins/09_AccessControl.md index 8ee193cea..4bd4dc8b5 100644 --- a/docs/en/admins/09_AccessControl.md +++ b/docs/en/admins/09_AccessControl.md @@ -15,13 +15,23 @@ You may also choose to use HTTP Authentication provided by your web server.[^1] If you choose to use this option, create a `./p/i/.htaccess` file with a matching `.htpasswd` file. -You can also use any authentication backend as long as your web server exposes the authenticated user through the `REMOTE_USER` variable. +You can also use any authentication backend as long as your web server exposes the authenticated user through the `Remote-User` variable. By default, new users allowed by HTTP Basic Auth will automatically be created in FreshRSS the first time they log in. You can disable auto-registration of new users by setting `http_auth_auto_register` to `false` in the configuration file. When using auto-registration, you can optionally use the `http_auth_auto_register_email_field` to specify the name of a web server variable containing the email address of the authenticated user (e.g. `REMOTE_USER_EMAIL`). +## External Authentication + +You may also use the `Remote-User` or `X-WebAuth-User` header to integrate with a your reverse-proxy’s authentication. + +To enable this feature, you need to add the IP range (in CIDR notation) of your trusted proxy in the `trusted_sources` configuration option. +To allow only one IPv4, you can use a `/32` like this: `trusted_sources => [ '192.168.1.10/32' ]`. +Likewise to allow only one IPv6, you can use a `/128` like this: `trusted_sources => [ '::1/128' ]`. + +WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access. + ## No Authentication Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin. |