From e7689459f25663e00b4f5814a3608872ff36b582 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 30 Jul 2023 12:59:18 +0200 Subject: Rework trusted proxies (#5549) * Rework trusted proxies Fix https://github.com/FreshRSS/FreshRSS/issues/5502 Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226 New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip. Current working setups should not observe any significant change. * Minor whitespace * Safer trusted sources during install Rework of https://github.com/FreshRSS/FreshRSS/pull/5358 https://github.com/FreshRSS/FreshRSS/issues/5357 * Minor readme --- config.default.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'config.default.php') diff --git a/config.default.php b/config.default.php index b5e3a6318..f7c4e1315 100644 --- a/config.default.php +++ b/config.default.php @@ -194,9 +194,12 @@ return array( # Disable self-update, 'disable_update' => false, - # Trusted IPs that are allowed to send unsafe headers - # Please read the documentation, before configuring this - # https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html + # Trusted IPs (e.g. of last proxy) that are allowed to send unsafe HTTP headers. + # The connection IP used during FreshRSS setup is automatically added to this list. + # Will be checked against CONN_REMOTE_ADDR (if available, to be robust even when using Apache mod_remoteip) + # or REMOTE_ADDR environment variable. + # This array can be overridden by the TRUSTED_PROXY environment variable. + # Read the documentation before configuring this https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html 'trusted_sources' => [ '127.0.0.0/8', '::1/128', -- cgit v1.2.3