| Age | Commit message (Collapse) | Author |
|---|
|
+fix minor whitespace from https://github.com/FreshRSS/FreshRSS/pull/6730
|
|
* Fix OIDC session params definition
- standardize environment variable names
- group all in the same configuration file
- use mod_auth_openidc default values
- fix `OIDCSessionMaxDuration` because it was not set with the previous
code
- add documentation
* Add double quoting to prevent globbing and word splitting
* Revert line deleted by mistake
|
|
* add OIDCSessionMaxDuration and OIDCSessionInactivityTimeout
* entrypoint.sh OIDCSessionMaxDuration and Session fix
* fix: entrypoint.sh OIDCSessionMaxDuration and OIDCSessionInactivityTimeout and Alpine support
* Use Apache config file instead
* Spelling
* fixed after restarting the double OIDC lines
* Refactor
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* Use RemoteIPInternalProxy directive of remoteip Apache module
instead of RemoteIPTrustedProxy directive
To allow internal IPs to be trusted: for internal clients,
and also for the case of chained internal reverse-proxies
Fixes #5726
* One last reference forgotten
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* Rework trusted proxies
Fix https://github.com/FreshRSS/FreshRSS/issues/5502
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226
New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy
New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip.
Current working setups should not observe any significant change.
* Minor whitespace
* Safer trusted sources during install
Rework of https://github.com/FreshRSS/FreshRSS/pull/5358
https://github.com/FreshRSS/FreshRSS/issues/5357
* Minor readme
|
|
* Add OIDC_X_FORWARDED_HEADERS environment variable (fixes #5516)
The mod_auth_oidc needs an additional directive (`OIDCXForwardedHeaders`)
in case FreshRSS is running behind a reverse proxy, so it knows what host,
protocol and port were used to access it. This information is then used
in the `redirect_uri` when directing the user agent (browser) to the identity
provider for authentication.
Please note that, if you are running FreshRSS behind a reverse proxy that
handles TLS, you may need to update your identity provider's configuration so
it accepts `https://...` as a `redirect_uri`.
* Add link to mod_auth_openidc's documentation for the OIDCXForwardedHeaders Apache configuration directive
* Minor spelling
---------
Co-authored-by: Stefan Zwanenburg <stefan@zwanenburg.info>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
identity provider (#5481)
* Allow choosing the OIDC remote user claim and scopes to request from the identity provider
* Added comment to explain how checking whether an environment variable is set is done
* Use apostrophe's instead of single quotes for verb contractions in docs
* Move variables used for checking presence of environment variables inside IfDefine block
|
|
* Add OIDC
* Update documentation.
* Update apache conf adding IfModule
* Use IfDefine for OIDC in apache conf
* Fix non-oidc support
* Fix typing
* Use IfDefine to enable OIDC
* Add OIDC support to all dockerfiles
* Re add apache Require option
* Fixes and documentation
* A few more fixes
* A bit more doc
* Change type of environment variable
* Update readme
* Correct apache config for OIDC support.
* Fix README formatting
* Update oidc control path
* Fix oidc endpoint being cached
* A bit more review
* Simplify ExpiresActive
* Add session refresh and improve caching
* Allow more different setups
* A bit more documentation
* A bit more readme
---------
Co-authored-by: Aaron Schif <aschif@netdevgroup.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Co-authored-by: maTh <math-home@web.de>
|
|
* Listen for IPv6 connections
* Added information about LISTEN6 variable
* Make LISTEN variable a comma-separated list of values
* Removed debug commands
* Revert changes
---------
Co-authored-by: Rufubi <>
|
|
* API avoid logging passwords
* Strip passwords and tokens from API logs
* Only log failed requests information when in debug mode
* Remove debug SHA
* Clean also Apache logs
* Better comments
* Redact also token parameters
* shfmt
* Simplify whitespace
* redacted
|
|
I have just received an e-mail with a security concern.
Although most likely an obsolete concern (old browsers with Java applets), and the Apache team saying that there is no problem, let's disable the TRACE method by default in our Docker images until we hear anybody actually wanting this feature.
https://httpd.apache.org/docs/current/mod/core.html#traceenable
https://owasp.org/www-community/attacks/Cross_Site_Tracing
|
|
Related to https://github.com/FreshRSS/FreshRSS/issues/4073
In our Docker configuration, `.htaccess` files are included only once at startup. The one for themes was missing.
|
|
#fix https://github.com/FreshRSS/FreshRSS/issues/3233
In Alpine, we need to enable mod_logio.c to use %O. Revert to more
standard %b
https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#logformat
|
|
#fix https://github.com/FreshRSS/FreshRSS/issues/3224
Log the client remote IP instead of the local proxy IP
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
|
|
* Docker image alternative using Ubuntu
Ubuntu seems to be faster, cf. e.g. PHPBench.
It is quite usual for Docker images to offer both a Debian/Ubuntu and an
Alpine version, so we could also do the same if there is any need.
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/2202
* Only explicit use of Apache confs
Fix double-logging issue
* Explicit ServerTokens OS
Default Apache configuration in Ubuntu, which was removed when disabling all confs.
It is also the default Apache configuration in Alpine.
* Take advantage of syslog for actualization
Same than for Alpine
https://github.com/FreshRSS/FreshRSS/pull/2208/commits/43ab629e27799cb28ec28ad409a512e128d11e97
* COPY_SYSLOG_TO_STDERR
Same as https://github.com/FreshRSS/FreshRSS/pull/2213
* Update to libapache2-mod-php instead of php-fpm
* Default to Ubuntu
Ubuntu mod-php wins, being ~14% faster than Ubuntu php-fpm (which was ~300% faster than Alpine mod-php)
|
|
* Apache performance
API: Use SetEnvIf if available and fallback to RewriteRule
Docker: Disable unused modules.
Docker: Hard-include .htaccess to avoid having to scan for changes in
that file.
Docker: Disable security check of symlinks, which we do not use ayway.
* Apache readme
* Docker/Apache tuning
Run cron job with correct www-data user instead of root
Remove PHP GMP module uneeded for 64-bit Docker image
Add option to mount custom .htaccess for HTTP authentication
Re-add Apache module for HTTP authentication
Move Alpine-specific instructions to Docker file (instead of Apache
conf) to make it easier to have other base images than Alpine
|
|
It looks like overrides of CustomLog, ErrorLog, Listen did not do the
job fully.
Updated to comment out those lines in httpd.conf.
Fixes the fact that logs were kept in /var/log/apache2/ (instead of
being only given via STDOUT to Docker logs) and the "internal dummy
connection" bug over IPv6 (Docker is typically only IPv4).
|
|
* Draft of new Docker
Based on Alpine Linux. Size ~78MB.
https://github.com/FreshRSS/docker-freshrss/issues/4
https://github.com/FreshRSS/FreshRSS/issues/520
https://github.com/FreshRSS/docker-freshrss
https://github.com/FreshRSS/docker-freshrss-production
* Docker readme
* +x execution rights prepare
* Docker readme links to hub.docker.com
https://hub.docker.com/r/freshrss/freshrss/
|
Alexandre Alapetite
pando85
нездалисько
Mossroy
otaconix
Aaron Schif
Rufubi
