From 5374df384a032e91f09d53291c879ee19da99714 Mon Sep 17 00:00:00 2001 From: Mossroy Date: Wed, 25 Oct 2023 16:23:03 +0200 Subject: [PATCH] Use RemoteIPInternalProxy directive of remoteip Apache module (#5740) * Use RemoteIPInternalProxy directive of remoteip Apache module instead of RemoteIPTrustedProxy directive To allow internal IPs to be trusted: for internal clients, and also for the case of chained internal reverse-proxies Fixes #5726 * One last reference forgotten --------- Co-authored-by: Alexandre Alapetite --- Docker/FreshRSS.Apache.conf | 2 +- Docker/README.md | 2 +- Docker/entrypoint.sh | 6 +++--- docs/en/admins/09_AccessControl.md | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf index f3dc6da7c..49411441b 100644 --- a/Docker/FreshRSS.Apache.conf +++ b/Docker/FreshRSS.Apache.conf @@ -11,7 +11,7 @@ ErrorLog /dev/stderr # Can be disabled by setting the TRUSTED_PROXY environment variable to 0: RemoteIPHeader X-Forwarded-For # Can be overridden by the TRUSTED_PROXY environment variable: - RemoteIPTrustedProxy 10.0.0.1/8 172.16.0.1/12 192.168.0.1/16 + RemoteIPInternalProxy 10.0.0.1/8 172.16.0.1/12 192.168.0.1/16 LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy diff --git a/Docker/README.md b/Docker/README.md index c44e4691c..01d2e59a6 100644 --- a/Docker/README.md +++ b/Docker/README.md @@ -329,7 +329,7 @@ services: LISTEN: 0.0.0.0:80 # Optional parameter, remove for automatic settings, set to 0 to disable, # or (if you use a proxy) to a space-separated list of trusted IP ranges - # compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy + # compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxy # This impacts which IP address is logged (X-Forwarded-For or REMOTE_ADDR). # This also impacts external authentication methods; # see https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html diff --git a/Docker/entrypoint.sh b/Docker/entrypoint.sh index c17d0d445..958fb4b40 100755 --- a/Docker/entrypoint.sh +++ b/Docker/entrypoint.sh @@ -13,11 +13,11 @@ fi if [ -n "$TRUSTED_PROXY" ]; then if [ "$TRUSTED_PROXY" = "0" ]; then - # Disable RemoteIPHeader and RemoteIPTrustedProxy + # Disable RemoteIPHeader and RemoteIPInternalProxy find /etc/apache2/ -type f -name FreshRSS.Apache.conf -exec sed -r -i "/^\s*RemoteIP.*$/s/^/#/" {} \; else - # Custom list for RemoteIPTrustedProxy - find /etc/apache2/ -type f -name FreshRSS.Apache.conf -exec sed -r -i "\\#^\s*RemoteIPTrustedProxy#s#^.*#\tRemoteIPTrustedProxy $TRUSTED_PROXY#" {} \; + # Custom list for RemoteIPInternalProxy + find /etc/apache2/ -type f -name FreshRSS.Apache.conf -exec sed -r -i "\\#^\s*RemoteIPInternalProxy#s#^.*#\tRemoteIPInternalProxy $TRUSTED_PROXY#" {} \; fi fi diff --git a/docs/en/admins/09_AccessControl.md b/docs/en/admins/09_AccessControl.md index 65f78be4d..e158f2a4e 100644 --- a/docs/en/admins/09_AccessControl.md +++ b/docs/en/admins/09_AccessControl.md @@ -30,7 +30,7 @@ To enable this feature, you need to add the IP range (in CIDR notation) of your To allow only one IPv4, you can use a `/32` like this: `trusted_sources => [ '192.168.1.10/32' ]`. Likewise to allow only one IPv6, you can use a `/128` like this: `trusted_sources => [ '::1/128' ]`. -You may alternatively pass a `TRUSTED_PROXY` environment variable in a format compatible with [Apache’s `mod_remoteip` `RemoteIPTrustedProxy`](https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy). +You may alternatively pass a `TRUSTED_PROXY` environment variable in a format compatible with [Apache’s `mod_remoteip` `RemoteIPInternalProxy`](https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxy). > ☠️ WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access.