mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-03-29 03:32:53 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
2cb4f2e23352f6f3bd85ea790085380984ddb613
FreshRSS/Docker/FreshRSS.Apache.conf
Alexandre Alapetite e7689459f2 Rework trusted proxies (#5549) 
* Rework trusted proxies
Fix https://github.com/FreshRSS/FreshRSS/issues/5502
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226

New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy

New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip.

Current working setups should not observe any significant change.

* Minor whitespace

* Safer trusted sources during install
Rework of https://github.com/FreshRSS/FreshRSS/pull/5358
https://github.com/FreshRSS/FreshRSS/issues/5357

* Minor readme
2023-07-30 12:59:18 +02:00

89 lines
2.5 KiB
Plaintext
Raw Blame History

ServerName freshrss.localhost
Listen 80
DocumentRoot /var/www/FreshRSS/p/
AllowEncodedSlashes On
ServerTokens OS
TraceEnable Off
ErrorLog /dev/stderr
# For logging the original user-agent IP instead of proxy IPs:
<IfModule mod_remoteip.c>
# Can be disabled by setting the TRUSTED_PROXY environment variable to 0:
RemoteIPHeader X-Forwarded-For
# Can be overridden by the TRUSTED_PROXY environment variable:
RemoteIPTrustedProxy 10.0.0.1/8 172.16.0.1/12 192.168.0.1/16
</IfModule>
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy
CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy
<IfDefine OIDC_ENABLED>
<IfModule !auth_openidc_module>
Error "The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED."
</IfModule>
# Workaround to be able to check whether an environment variable is set
# See: https://serverfault.com/questions/1022233/using-ifdefine-with-environment-variables/1022234#1022234
Define VStart "${"
Define VEnd "}"
OIDCProviderMetadataURL ${OIDC_PROVIDER_METADATA_URL}
OIDCClientID ${OIDC_CLIENT_ID}
OIDCClientSecret ${OIDC_CLIENT_SECRET}
OIDCRedirectURI /i/oidc/
OIDCCryptoPassphrase ${OIDC_CLIENT_CRYPTO_KEY}
Define "Test_${OIDC_REMOTE_USER_CLAIM}"
<IfDefine Test_${VStart}OIDC_REMOTE_USER_CLAIM${VEnd}>
OIDCRemoteUserClaim preferred_username
</IfDefine>
<IfDefine !Test_${VStart}OIDC_REMOTE_USER_CLAIM${VEnd}>
OIDCRemoteUserClaim "${OIDC_REMOTE_USER_CLAIM}"
</IfDefine>
Define "Test_${OIDC_SCOPES}"
<IfDefine Test_${VStart}OIDC_SCOPES${VEnd}>
OIDCScope openid
</IfDefine>
<IfDefine !Test_${VStart}OIDC_SCOPES${VEnd}>
OIDCScope "${OIDC_SCOPES}"
</IfDefine>
Define "Test_${OIDC_X_FORWARDED_HEADERS}"
<IfDefine !Test_${VStart}OIDC_X_FORWARDED_HEADERS${VEnd}>
OIDCXForwardedHeaders ${OIDC_X_FORWARDED_HEADERS}
</IfDefine>
OIDCRefreshAccessTokenBeforeExpiry 30
</IfDefine>
<Directory />
AllowOverride None
Options FollowSymLinks
Require all denied
</Directory>
<Directory /var/www/FreshRSS/p>
AllowOverride None
Include /var/www/FreshRSS/p/.htaccess
Options FollowSymLinks
Require all granted
</Directory>
<Directory /var/www/FreshRSS/p/api>
Include /var/www/FreshRSS/p/api/.htaccess
</Directory>
<Directory /var/www/FreshRSS/p/i>
ExpiresActive Off
<IfDefine OIDC_ENABLED>
AuthType openid-connect
Require valid-user
</IfDefine>
IncludeOptional /var/www/FreshRSS/p/i/.htaccess
</Directory>
<Directory /var/www/FreshRSS/p/themes>
Include /var/www/FreshRSS/p/themes/.htaccess
</Directory>
Reference in New Issue View Git Blame Copy Permalink