From aa45bcbe5a0a723c4b6adfb50139be0be6336d2b Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Wed, 18 Jun 2025 22:15:54 +0200 Subject: Fix Markdown 78a4256 (#7678) Fix for https://github.com/FreshRSS/FreshRSS/commit/78a425636228066513bf14c7f74f6255062b2327 --- docs/en/admins/09_AccessControl.md | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) (limited to 'docs/en/admins') diff --git a/docs/en/admins/09_AccessControl.md b/docs/en/admins/09_AccessControl.md index 883a1a04b..6264ea0ca 100644 --- a/docs/en/admins/09_AccessControl.md +++ b/docs/en/admins/09_AccessControl.md @@ -4,24 +4,26 @@ FreshRSS offers three methods of Access control: Form Authentication using JavaS ## Server-side feed fetching & security considerations -FreshRSS fetches RSS feeds using server-side HTTP requests (via the cURL library). This design allows users to subscribe to feeds hosted not just on the public internet, but also on internal or private networks. +FreshRSS fetches RSS feeds using server-side HTTP requests (via the cURL library). +This design allows users to subscribe to feeds hosted not just on the public internet, but also on internal or private networks. For example, many users connect FreshRSS to tools like RSS-Bridge, cron jobs, or local automation services such as Node-RED β€” all of which may run on `localhost` or internal IPs. -In self-hosted, single-user setups, this behavior is expected and usually safe. However, in **multi-user or public-facing instances**, this same functionality can introduce a potential security risk known as **Server-Side Request Forgery (SSRF)**. +In self-hosted, single-user setups, this behaviour is expected and usually safe. +However, in **multi-user or public-facing instances**, this same functionality can introduce a potential security risk known as **Server-Side Request Forgery (SSRF)**. In an SSRF scenario, a malicious user could submit a feed URL that points to internal network services, such as: -- `http://127.0.0.1` (loopback) -- `http://169.254.169.254` (cloud metadata services) -- Other services not meant to be exposed externally +* `http://127.0.0.1` (loopback) +* `http://169.254.169.254` (cloud metadata services) +* Other services not meant to be exposed externally While FreshRSS does not treat these requests as unsafe by default β€” since many legitimate use cases depend on them β€” it’s important to understand the implications if your instance is shared, exposed on the internet, or co-hosted with other services. -### Recommended mitigations for shared/public setups: +### Recommended mitigations for shared/public setups -- Run FreshRSS behind a firewall or reverse proxy that blocks access to internal IP ranges -- Use container isolation or a virtual network to prevent access to sensitive endpoints -- Avoid exposing your FreshRSS instance directly to the internet unless you fully trust all users +* Run FreshRSS behind a firewall or reverse proxy that blocks access to internal IP ranges +* Use container isolation or a virtual network to prevent access to sensitive endpoints +* Avoid exposing your FreshRSS instance directly to the internet unless you fully trust all users These steps are not necessary for trusted, single-user deployments, but are strongly advised in shared environments. @@ -30,8 +32,7 @@ These steps are not necessary for trusted, single-user deployments, but are stro ## Form Authentication -Form Authentication requires the use of JavaScript. It will work on any supported version of PHP, -but version 5.5 or newer is recommended (see footnote 1 in [prerequisites](02_Prerequisites.md) for the reason why). +Form Authentication requires the use of JavaScript. It will work on any supported version of PHP. This option requires nothing more than selecting Form Authentication during installation. @@ -63,7 +64,7 @@ You may alternatively pass a `TRUSTED_PROXY` environment variable in a format co ### Authentik Proxy Provider If you wish to use external authentication with [Authentik](https://goauthentik.io/), -you will need to configure a [Proxy Provider](https://goauthentik.io/docs/providers/proxy/) with a *Property Mapping* that tells Authentik to inject the `X-WebAuth-User` HTTP header. +you will need to configure a [Proxy Provider](https://goauthentik.io/docs/providers/proxy/) with a _Property Mapping_ that tells Authentik to inject the `X-WebAuth-User` HTTP header. You can do so with the following expression: ```python -- cgit v1.2.3