From e7689459f25663e00b4f5814a3608872ff36b582 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 30 Jul 2023 12:59:18 +0200 Subject: Rework trusted proxies (#5549) * Rework trusted proxies Fix https://github.com/FreshRSS/FreshRSS/issues/5502 Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226 New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip. Current working setups should not observe any significant change. * Minor whitespace * Safer trusted sources during install Rework of https://github.com/FreshRSS/FreshRSS/pull/5358 https://github.com/FreshRSS/FreshRSS/issues/5357 * Minor readme --- docs/en/admins/09_AccessControl.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'docs/en/admins/09_AccessControl.md') diff --git a/docs/en/admins/09_AccessControl.md b/docs/en/admins/09_AccessControl.md index 870d3a6ad..65f78be4d 100644 --- a/docs/en/admins/09_AccessControl.md +++ b/docs/en/admins/09_AccessControl.md @@ -24,13 +24,15 @@ variable containing the email address of the authenticated user (e.g. `REMOTE_US ## External Authentication -You may also use the `Remote-User` or `X-WebAuth-User` header to integrate with a your reverse-proxy’s authentication. +You may also use the `Remote-User` or `X-WebAuth-User` HTTP headers to integrate with a reverse-proxy’s authentication. To enable this feature, you need to add the IP range (in CIDR notation) of your trusted proxy in the `trusted_sources` configuration option. To allow only one IPv4, you can use a `/32` like this: `trusted_sources => [ '192.168.1.10/32' ]`. Likewise to allow only one IPv6, you can use a `/128` like this: `trusted_sources => [ '::1/128' ]`. -WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access. +You may alternatively pass a `TRUSTED_PROXY` environment variable in a format compatible with [Apache’s `mod_remoteip` `RemoteIPTrustedProxy`](https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy). + +> ☠️ WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access. ## No Authentication -- cgit v1.2.3