* Fix OIDC session params definition
- standardize environment variable names
- group all in the same configuration file
- use mod_auth_openidc default values
- fix `OIDCSessionMaxDuration` because it was not set with the previous
code
- add documentation
* Add double quoting to prevent globbing and word splitting
* Revert line deleted by mistake
* Use RemoteIPInternalProxy directive of remoteip Apache module
instead of RemoteIPTrustedProxy directive
To allow internal IPs to be trusted: for internal clients,
and also for the case of chained internal reverse-proxies
Fixes#5726
* One last reference forgotten
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Add OIDC_X_FORWARDED_HEADERS environment variable (fixes#5516)
The mod_auth_oidc needs an additional directive (`OIDCXForwardedHeaders`)
in case FreshRSS is running behind a reverse proxy, so it knows what host,
protocol and port were used to access it. This information is then used
in the `redirect_uri` when directing the user agent (browser) to the identity
provider for authentication.
Please note that, if you are running FreshRSS behind a reverse proxy that
handles TLS, you may need to update your identity provider's configuration so
it accepts `https://...` as a `redirect_uri`.
* Add link to mod_auth_openidc's documentation for the OIDCXForwardedHeaders Apache configuration directive
* Minor spelling
---------
Co-authored-by: Stefan Zwanenburg <stefan@zwanenburg.info>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Allow choosing the OIDC remote user claim and scopes to request from the identity provider
* Added comment to explain how checking whether an environment variable is set is done
* Use apostrophe's instead of single quotes for verb contractions in docs
* Move variables used for checking presence of environment variables inside IfDefine block
* Add OIDC
* Update documentation.
* Update apache conf adding IfModule
* Use IfDefine for OIDC in apache conf
* Fix non-oidc support
* Fix typing
* Use IfDefine to enable OIDC
* Add OIDC support to all dockerfiles
* Re add apache Require option
* Fixes and documentation
* A few more fixes
* A bit more doc
* Change type of environment variable
* Update readme
* Correct apache config for OIDC support.
* Fix README formatting
* Update oidc control path
* Fix oidc endpoint being cached
* A bit more review
* Simplify ExpiresActive
* Add session refresh and improve caching
* Allow more different setups
* A bit more documentation
* A bit more readme
---------
Co-authored-by: Aaron Schif <aschif@netdevgroup.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Co-authored-by: maTh <math-home@web.de>
* Listen for IPv6 connections
* Added information about LISTEN6 variable
* Make LISTEN variable a comma-separated list of values
* Removed debug commands
* Revert changes
---------
Co-authored-by: Rufubi <>
* API avoid logging passwords
* Strip passwords and tokens from API logs
* Only log failed requests information when in debug mode
* Remove debug SHA
* Clean also Apache logs
* Better comments
* Redact also token parameters
* shfmt
* Simplify whitespace
* redacted
* Docker image alternative using Ubuntu
Ubuntu seems to be faster, cf. e.g. PHPBench.
It is quite usual for Docker images to offer both a Debian/Ubuntu and an
Alpine version, so we could also do the same if there is any need.
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/2202
* Only explicit use of Apache confs
Fix double-logging issue
* Explicit ServerTokens OS
Default Apache configuration in Ubuntu, which was removed when disabling all confs.
It is also the default Apache configuration in Alpine.
* Take advantage of syslog for actualization
Same than for Alpine
43ab629e27
* COPY_SYSLOG_TO_STDERR
Same as https://github.com/FreshRSS/FreshRSS/pull/2213
* Update to libapache2-mod-php instead of php-fpm
* Default to Ubuntu
Ubuntu mod-php wins, being ~14% faster than Ubuntu php-fpm (which was ~300% faster than Alpine mod-php)
* Apache performance
API: Use SetEnvIf if available and fallback to RewriteRule
Docker: Disable unused modules.
Docker: Hard-include .htaccess to avoid having to scan for changes in
that file.
Docker: Disable security check of symlinks, which we do not use ayway.
* Apache readme
* Docker/Apache tuning
Run cron job with correct www-data user instead of root
Remove PHP GMP module uneeded for 64-bit Docker image
Add option to mount custom .htaccess for HTTP authentication
Re-add Apache module for HTTP authentication
Move Alpine-specific instructions to Docker file (instead of Apache
conf) to make it easier to have other base images than Alpine
It looks like overrides of CustomLog, ErrorLog, Listen did not do the
job fully.
Updated to comment out those lines in httpd.conf.
Fixes the fact that logs were kept in /var/log/apache2/ (instead of
being only given via STDOUT to Docker logs) and the "internal dummy
connection" bug over IPv6 (Docker is typically only IPv4).
