Files
FreshRSS/docs/en/admins/09_AccessControl.md
Inverle dcec27c69d Add SSRF mitigations using filter_var and CURLOPT_RESOLVE (#8400)
* Add SSRF mitigations using `filter_var` and `CURLOPT_RESOLVE`
The idea is to prevent FreshRSS from sending any HTTP requests to internal services, except for the ones that are explicitly allowed in the config.

Based on 6e82b46a48/lib/filelib.php (L3818) and https://github.com/symfony/symfony/blob/8.1/src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.php

https://github.com/FreshRSS/simplepie/pull/76
https://github.com/FreshRSS/simplepie/pull/78

* Add allowlist setting in Web UI

* make readme

* Update app/i18n/fr/admin.php

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

* make readme again

* make readme

* Further work

Still WIP and needs testing etc.

* Readd previous if check for domain combination allowlist

* Turn POST to GET after redirect

* Improve

* Update config.default.php

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

* make readme

* Skip SSRF check if `CURLOPT_PROXY` is set

* make readme

* Fix `!empty()` mistake

* Respect max redirects feed option when fetching with `httpGet()`

* Respect max redirects during SimplePie fetching + fix bypass

bypass fix: `CURLOPT_FOLLOWLOCATION` was moved below so that emulated redirects are enforced.

* Avoid FreshRSS and Minz code in SimplePie
https://github.com/FreshRSS/FreshRSS/pull/8400#discussion_r2935375980

* Corrected hook code

* phpdoc wrong return type

* Add CIDR support in allowlist

* Implement simple DNS caching

* Suppress `dns_get_record()` warnings

* A bit of proof-reading

* Minor typo

* Fix proxy logic

* Fix HTTP POST redirect logic

* Proofread checkCIDR
Add fixes for several situations

* Remove credentials from URL in logs

* Ensure `CURLOPT_FOLLOWLOCATION` is `false` by setting it at the end

* Fix codesniffer long line

* Fix potential bypass due to wrong return value

If there were no records returned by `dns_get_record()`, no overrides to `CURLOPT_RESOLVE` would get passed,
and a potential bypass could occur, when cURL would try to resolve the domain by itself.

* Put the URL at the end in logs

* Add documentation and environment variable support

* make readme

* Fix wrong behavior in case of IP

* Fix duplicate selector in CSS

* Minor type check change

* i18n fr, en

* Minor type check change

* Fix whitespace i18n fr

* make fix-all

* Fix `$ips_ok` not being returned after domain records were cached

* make readme

* PHPStan fix

* make readme

* Minor syntax in SimplePie

* Only return `null` if no allowed IPs were found

* Add wildcard *, help message

* Consistent docs with help message

* i18n: pl

* SimplePie compatibility PHP 7.2

* make fix-all

* Sync SimplePie
* https://github.com/FreshRSS/simplepie/pull/76

* 💥 Breaking change in the Changelog

* Document `INTERNAL_HOST_ALLOWLIST` in Docker docs

* Remove `Cookie` and `Authorization` headers in `httpGet()` during cross-origin redirect

* Minor whitespace
And same comment convention than below

* Remove authentication headers and change POST to GET on redirect in SimplePie

* Remove .local in Docker example

* Fill in default ports when comparing URL origins

* Remove .local from other places than the Docker example

* Rewrite WebSub subscribe to use `httpGet()`

* make fix-all

* Also unset `CURLOPT_USERPWD` during redirects

* phpcs fix

* Always unset `CURLOPT_FOLLOWLOCATION`

* Bump SimplePie
https://github.com/FreshRSS/simplepie/pull/78

* Update logic for CURLOPT_FOLLOWLOCATION

* Fix PHPStan

* Changelog fix security section

* Update most common RSS Bridge case
https://hub.docker.com/r/rssbridge/rss-bridge

* Replace misleading 127.0.0.1:8080 example for Docker
This does not make sense for a Docker container

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
2026-06-28 18:51:04 +02:00

5.5 KiB
Raw Blame History

Access control

FreshRSS offers three methods of Access control: Form Authentication using JavaScript, HTTP based Authentication, or an uncontrolled state with no authentication required.

Server-side feed fetching & security considerations

FreshRSS fetches RSS feeds using server-side HTTP requests (via the cURL library). This design allows users to subscribe to feeds hosted not just on the public internet, but also on internal or private networks. For example, many users connect FreshRSS to tools like RSS-Bridge, cron jobs, or local automation services such as Node-RED, all of which may run on localhost or internal IPs.

In self-hosted, single-user setups, this behaviour is expected and usually safe. However, in multi-user or public-facing instances, this same functionality can introduce a potential security risk known as Server-Side Request Forgery (SSRF).

In an SSRF scenario, a malicious user could submit a feed URL that points to internal network services, such as:

  • http://127.0.0.1 (loopback)
  • http://169.254.169.254 (cloud metadata services)
  • Other services not meant to be exposed externally

FreshRSS blocks these unsafe requests by default, due to the security risks written above, though certain hosts can be excluded from the block by going to Settings > System configuration and making changes to the internal host allowlist. Entries are separated by newlines, and must be a host:port combination, for example 127.0.0.1:8080, rss-bridge:80 or a CIDR notation ('0.0.0.0/0' to allow any IPv4, ::/0 to allow any IPv6). Another option is to set an INTERNAL_HOST_ALLOWLIST environment variable (e.g. in your docker-compose file). The entries there are separated by whitespace instead. Adding * disables the SSRF check completely (unsafe).

  • Run FreshRSS behind a firewall or reverse proxy that blocks access to internal IP ranges
  • Use container isolation or a virtual network to prevent access to sensitive endpoints
  • Avoid exposing your FreshRSS instance directly to the internet unless you fully trust all users

These steps are not necessary for trusted, single-user deployments, but are strongly advised in shared environments.

Note: For Docker-based deployments, localhost refers to the containers internal network.

Form Authentication

Form Authentication requires the use of JavaScript. It will work on any supported version of PHP.

This option requires nothing more than selecting Form Authentication during installation.

HTTP Authentication

You may also choose to use HTTP Authentication provided by your web server.1

If you choose to use this option, create a ./p/i/.htaccess file with a matching .htpasswd file.

You can also use any authentication backend as long as your web server exposes the authenticated user through the REMOTE_USER variable.

By default, new users allowed by HTTP Basic Auth will automatically be created in FreshRSS the first time they log in. You can disable auto-registration of new users by setting http_auth_auto_register to false in the configuration file. When using auto-registration, you can optionally use the http_auth_auto_register_email_field to specify the name of a web server variable containing the email address of the authenticated user (e.g. REMOTE_USER_EMAIL).

External Authentication

You may also use the Remote-User or X-WebAuth-User HTTP headers to integrate with a reverse-proxys authentication.

To enable this feature, you need to add the IP range (in CIDR notation) of your trusted proxy in the trusted_sources configuration option. To allow only one IPv4, you can use a /32 like this: trusted_sources => [ '192.168.1.10/32' ]. Likewise to allow only one IPv6, you can use a /128 like this: trusted_sources => [ '::1/128' ].

You may alternatively pass a TRUSTED_PROXY environment variable in a format compatible with Apaches mod_remoteip RemoteIPInternalProxy.

☠️ WARNING: FreshRSS will trust any IP configured in the trusted_sources option, if your proxy isnt properly secured, an attacker could simply attach this header and get admin access.

Authentik Proxy Provider

If you wish to use external authentication with Authentik, you will need to configure a Proxy Provider with a Property Mapping that tells Authentik to inject the X-WebAuth-User HTTP header. You can do so with the following expression:

return {
    "ak_proxy": {
        "user_attributes": {
            "additionalHeaders": {
                "X-WebAuth-User": request.user.username,
            }
        }
    }
}

See also another option for Authentik, using the OAuth2 Provider with OpenID.

No Authentication

Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin. It is never advisable to not use any form of authentication, but never choose this option on a server that is able to be accessed outside of your home network.

OpenID Connect

Hints

You can switch your authentication method at any time by editing the ./data/config.php file, on the line that begins 'auth_type'.