From 15814cfd35b8ac704a761530e14bd9efe6500ddc Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sat, 3 Jan 2026 17:48:33 +0100
Subject: Add remote user in Apache logs, also for API (#8392)

* API: add remote user in Apache logs
fix https://github.com/FreshRSS/FreshRSS/discussions/8385

Example:
```
2026-01-01T18:38:28.645486326Z 0.0.0.0 - alex [01/Jan/2026:19:38:28 +0100] "GET /api/greader.php/reader/api/0/subscription/list?output=json HTTP/1.1" 200 9798 "-" "curl/8.14.1"
```

* Fallback mod_rewrite

* Log remote user with same priority as FreshRSS_http_Util::httpAuthUser()
---
 Docker/FreshRSS.Apache.conf | 6 +++++-
 p/.htaccess                 | 9 +++++++++
 p/api/.htaccess             | 3 +++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf
index 5868fae40..5db17e91a 100644
--- a/Docker/FreshRSS.Apache.conf
+++ b/Docker/FreshRSS.Apache.conf
@@ -14,7 +14,11 @@ ErrorLog /dev/stderr
 	RemoteIPInternalProxy 10.0.0.1/8 172.16.0.1/12 192.168.0.1/16
 </IfModule>
 
-LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy
+# Default, will be overridden by p/.htaccess and p/api/.htaccess
+SetEnvIfExpr "reqenv('LOG_REMOTE_USER') == ''" LOG_REMOTE_USER=-
+SetEnvIfExpr "reqenv('LOG_REMOTE_USER') == '-' && reqenv('REMOTE_USER') =~ /(.+)/" LOG_REMOTE_USER=$1
+
+LogFormat "%a %l %{LOG_REMOTE_USER}e %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy
 CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy
 
 <IfDefine OIDC_ENABLED>
diff --git a/p/.htaccess b/p/.htaccess
index 4d2c6e52b..06790616b 100644
--- a/p/.htaccess
+++ b/p/.htaccess
@@ -57,3 +57,12 @@ AddDefaultCharset	UTF-8
 		SetEnvIfExpr "%{CONN_REMOTE_ADDR} =~ /(.*)/" CONN_REMOTE_ADDR=$1
 	</IfModule>
 </IfModule>
+
+# Log remote user with same priority as FreshRSS_http_Util::httpAuthUser(). See also api/.htaccess
+<IfModule mod_setenvif.c>
+	SetEnvIfExpr "reqenv('LOG_REMOTE_USER') == ''" LOG_REMOTE_USER=-
+	SetEnvIfExpr "reqenv('LOG_REMOTE_USER') == '-' && reqenv('REMOTE_USER') =~ /(.+)/" LOG_REMOTE_USER=$1
+	SetEnvIfExpr "reqenv('LOG_REMOTE_USER') == '-' && reqenv('REDIRECT_REMOTE_USER') =~ /(.+)/" LOG_REMOTE_USER=$1
+	SetEnvIfExpr "reqenv('LOG_REMOTE_USER') == '-' && req('Remote-User') =~ /(.+)/" LOG_REMOTE_USER=$1
+	SetEnvIfExpr "reqenv('LOG_REMOTE_USER') == '-' && req('X-WebAuth-User') =~ /(.+)/" LOG_REMOTE_USER=$1
+</IfModule>
diff --git a/p/api/.htaccess b/p/api/.htaccess
index dd3df0b4f..3597751f6 100644
--- a/p/api/.htaccess
+++ b/p/api/.htaccess
@@ -1,9 +1,12 @@
 <IfModule mod_setenvif.c>
 	SetEnvIfNoCase "Authorization" "(.*)" HTTP_AUTHORIZATION=$1
+	SetEnvIfNoCase "Authorization" "^GoogleLogin auth=([^/]+)" REMOTE_USER=$1 LOG_REMOTE_USER=$1
 </IfModule>
 <IfModule !mod_setenvif.c>
 	<IfModule mod_rewrite.c>
 		RewriteEngine on
 		RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+		RewriteCond %{HTTP:Authorization} "^GoogleLogin auth=([^/]+)" [NC]
+		RewriteRule .* - [E=REMOTE_USER:%1,E=LOG_REMOTE_USER:%1]
 	</IfModule>
 </IfModule>
-- 
cgit v1.2.3