mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-01-29 07:31:06 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
5110d1db3e030d4f7960e18bf3e9db8cb5a2fa3a
FreshRSS/docs/en/admins/09_AccessControl.md
drosoCode 2aba861bc9 Add HTTP_REMOTE_USER header for auth (#4063) 
* add HTTP_REMOTE_USER header for auth

* add ip whitelist for HTTP_REMOTE_USER header

* add IPv6 support for header auth

* fix formatting

* A few fixes

* Add some default trusted sources

* Fix IPv6 doc

* More standard header names

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2022-04-02 21:40:30 +02:00

45 lines
2.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Access Control
FreshRSS offers three methods of Access control: Form Authentication using JavaScript, HTTP based Authentication, or an uncontrolled state with no authentication required.
## Form Authentication
Form Authentication requires the use of JavaScript. It will work on any supported version of PHP,
but version 5.5 or newer is recommended (see footnote 1 in [prerequisites](02_Prerequisites.md) for the reason why).
This option requires nothing more than selecting Form Authentication during installation.
## HTTP Authentication
You may also choose to use HTTP Authentication provided by your web server.[^1]
If you choose to use this option, create a `./p/i/.htaccess` file with a matching `.htpasswd` file.
You can also use any authentication backend as long as your web server exposes the authenticated user through the `Remote-User` variable.
By default, new users allowed by HTTP Basic Auth will automatically be created in FreshRSS the first time they log in.
You can disable auto-registration of new users by setting `http_auth_auto_register` to `false` in the configuration file.
When using auto-registration, you can optionally use the `http_auth_auto_register_email_field` to specify the name of a web server
variable containing the email address of the authenticated user (e.g. `REMOTE_USER_EMAIL`).
## External Authentication
You may also use the `Remote-User` or `X-WebAuth-User` header to integrate with a your reverse-proxys authentication.
To enable this feature, you need to add the IP range (in CIDR notation) of your trusted proxy in the `trusted_sources` configuration option.
To allow only one IPv4, you can use a `/32` like this: `trusted_sources => [ '192.168.1.10/32' ]`.
Likewise to allow only one IPv6, you can use a `/128` like this: `trusted_sources => [ '::1/128' ]`.
WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isnt properly secured, an attacker could simply attach this header and get admin access.
## No Authentication
Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin.
It is never advisable to not use any form of authentication, but **never** chose this option on a server that is able to be accessed outside of your home network.
## Hints
You can switch your authentication method at any time by editing the `./data/config.php` file, on the line that begins `'auth_type'`.
[^1]: See [the Apache documentation](https://httpd.apache.org/docs/trunk/howto/auth.html)
Reference in New Issue View Git Blame Copy Permalink