From e7689459f25663e00b4f5814a3608872ff36b582 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 30 Jul 2023 12:59:18 +0200 Subject: Rework trusted proxies (#5549) * Rework trusted proxies Fix https://github.com/FreshRSS/FreshRSS/issues/5502 Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226 New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip. Current working setups should not observe any significant change. * Minor whitespace * Safer trusted sources during install Rework of https://github.com/FreshRSS/FreshRSS/pull/5358 https://github.com/FreshRSS/FreshRSS/issues/5357 * Minor readme --- Docker/Dockerfile | 1 + Docker/Dockerfile-Alpine | 1 + Docker/Dockerfile-Newest | 1 + Docker/Dockerfile-Oldest | 1 + Docker/Dockerfile-QEMU-ARM | 1 + Docker/FreshRSS.Apache.conf | 17 ++++++++++++----- Docker/README.md | 7 +++++++ Docker/entrypoint.sh | 10 ++++++++++ Docker/freshrss/docker-compose-proxy.yml | 4 +++- Docker/freshrss/docker-compose.yml | 1 + 10 files changed, 38 insertions(+), 6 deletions(-) (limited to 'Docker') diff --git a/Docker/Dockerfile b/Docker/Dockerfile index 4b6979993..239a0e067 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -58,6 +58,7 @@ ENV DATA_PATH '' ENV FRESHRSS_ENV '' ENV LISTEN '' ENV OIDC_ENABLED '' +ENV TRUSTED_PROXY '' ENTRYPOINT ["./Docker/entrypoint.sh"] diff --git a/Docker/Dockerfile-Alpine b/Docker/Dockerfile-Alpine index 59142384c..1da380f81 100644 --- a/Docker/Dockerfile-Alpine +++ b/Docker/Dockerfile-Alpine @@ -54,6 +54,7 @@ ENV DATA_PATH '' ENV FRESHRSS_ENV '' ENV LISTEN '' ENV OIDC_ENABLED '' +ENV TRUSTED_PROXY '' ENTRYPOINT ["./Docker/entrypoint.sh"] diff --git a/Docker/Dockerfile-Newest b/Docker/Dockerfile-Newest index 8c2d6eb71..c5615b512 100644 --- a/Docker/Dockerfile-Newest +++ b/Docker/Dockerfile-Newest @@ -57,6 +57,7 @@ ENV DATA_PATH '' ENV FRESHRSS_ENV '' ENV LISTEN '' ENV OIDC_ENABLED '' +ENV TRUSTED_PROXY '' ENTRYPOINT ["./Docker/entrypoint.sh"] diff --git a/Docker/Dockerfile-Oldest b/Docker/Dockerfile-Oldest index 88d02b512..22b9cec21 100644 --- a/Docker/Dockerfile-Oldest +++ b/Docker/Dockerfile-Oldest @@ -56,6 +56,7 @@ ENV DATA_PATH '' ENV FRESHRSS_ENV '' ENV LISTEN '' ENV OIDC_ENABLED '' +ENV TRUSTED_PROXY '' ENTRYPOINT ["./Docker/entrypoint.sh"] diff --git a/Docker/Dockerfile-QEMU-ARM b/Docker/Dockerfile-QEMU-ARM index 58459cf37..48ce56345 100644 --- a/Docker/Dockerfile-QEMU-ARM +++ b/Docker/Dockerfile-QEMU-ARM @@ -70,6 +70,7 @@ ENV DATA_PATH '' ENV FRESHRSS_ENV '' ENV LISTEN '' ENV OIDC_ENABLED '' +ENV TRUSTED_PROXY '' ENTRYPOINT ["./Docker/entrypoint.sh"] diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf index 9330a17f4..f3dc6da7c 100644 --- a/Docker/FreshRSS.Apache.conf +++ b/Docker/FreshRSS.Apache.conf @@ -1,14 +1,21 @@ ServerName freshrss.localhost Listen 80 DocumentRoot /var/www/FreshRSS/p/ -RemoteIPHeader X-Forwarded-For -RemoteIPTrustedProxy 10.0.0.1/8 172.16.0.1/12 192.168.0.1/16 -LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy -CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy -ErrorLog /dev/stderr AllowEncodedSlashes On ServerTokens OS TraceEnable Off +ErrorLog /dev/stderr + +# For logging the original user-agent IP instead of proxy IPs: + + # Can be disabled by setting the TRUSTED_PROXY environment variable to 0: + RemoteIPHeader X-Forwarded-For + # Can be overridden by the TRUSTED_PROXY environment variable: + RemoteIPTrustedProxy 10.0.0.1/8 172.16.0.1/12 192.168.0.1/16 + + +LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy +CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy diff --git a/Docker/README.md b/Docker/README.md index 1fbc9634c..ffd1fc2d2 100644 --- a/Docker/README.md +++ b/Docker/README.md @@ -330,6 +330,13 @@ services: FRESHRSS_ENV: development # Optional advanced parameter controlling the internal Apache listening port LISTEN: 0.0.0.0:80 + # Optional parameter, remove for automatic settings, set to 0 to disable, + # or (if you use a proxy) to a space-separated list of trusted IP ranges + # compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy + # This impacts which IP address is logged (X-Forwarded-For or REMOTE_ADDR). + # This also impacts external authentication methods; + # see https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html + TRUSTED_PROXY: 172.16.0.1/12 192.168.0.1/16 # Optional parameter, set to 1 to enable OpenID Connect (only available in our Debian image) # Requires more environment variables. See https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html OIDC_ENABLED: 0 diff --git a/Docker/entrypoint.sh b/Docker/entrypoint.sh index 1b25026b5..6cb5a49b4 100755 --- a/Docker/entrypoint.sh +++ b/Docker/entrypoint.sh @@ -11,6 +11,16 @@ if [ -n "$LISTEN" ]; then find /etc/apache2/ -type f -name FreshRSS.Apache.conf -exec sed -r -i "\\#^Listen#s#^.*#Listen $LISTEN#" {} \; fi +if [ -n "$TRUSTED_PROXY" ]; then + if [ "$TRUSTED_PROXY" -eq 0 ]; then + # Disable RemoteIPHeader and RemoteIPTrustedProxy + find /etc/apache2/ -type f -name FreshRSS.Apache.conf -exec sed -r -i "/^\s*RemoteIP.*$/s/^/#/" {} \; + else + # Custom list for RemoteIPTrustedProxy + find /etc/apache2/ -type f -name FreshRSS.Apache.conf -exec sed -r -i "\\#^\s*RemoteIPTrustedProxy#s#^.*#\tRemoteIPTrustedProxy $TRUSTED_PROXY#" {} \; + fi +fi + if [ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ]; then a2enmod -q auth_openidc fi diff --git a/Docker/freshrss/docker-compose-proxy.yml b/Docker/freshrss/docker-compose-proxy.yml index 980e45e67..9b4846bce 100644 --- a/Docker/freshrss/docker-compose-proxy.yml +++ b/Docker/freshrss/docker-compose-proxy.yml @@ -7,7 +7,7 @@ volumes: services: traefik: - image: traefik:2.6 + image: traefik:2.10 container_name: traefik restart: unless-stopped logging: @@ -42,6 +42,8 @@ services: - traefik.enable=false freshrss: + environment: + TRUSTED_PROXY: 172.16.0.1/12 labels: - traefik.enable=true - traefik.http.middlewares.freshrssM1.compress=true diff --git a/Docker/freshrss/docker-compose.yml b/Docker/freshrss/docker-compose.yml index b8956bca5..7eb23fe9c 100644 --- a/Docker/freshrss/docker-compose.yml +++ b/Docker/freshrss/docker-compose.yml @@ -25,3 +25,4 @@ services: environment: TZ: Europe/Paris CRON_MIN: '3,33' + TRUSTED_PROXY: 172.16.0.1/12 192.168.0.1/16 -- cgit v1.2.3