mirror of
https://github.com/FreshRSS/FreshRSS.git
synced 2026-07-16 18:12:53 -04:00
* Add SSRF mitigations using `filter_var` and `CURLOPT_RESOLVE`
The idea is to prevent FreshRSS from sending any HTTP requests to internal services, except for the ones that are explicitly allowed in the config.
Based on 6e82b46a48/lib/filelib.php (L3818) and https://github.com/symfony/symfony/blob/8.1/src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.php
https://github.com/FreshRSS/simplepie/pull/76
https://github.com/FreshRSS/simplepie/pull/78
* Add allowlist setting in Web UI
* make readme
* Update app/i18n/fr/admin.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* make readme again
* make readme
* Further work
Still WIP and needs testing etc.
* Readd previous if check for domain combination allowlist
* Turn POST to GET after redirect
* Improve
* Update config.default.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* make readme
* Skip SSRF check if `CURLOPT_PROXY` is set
* make readme
* Fix `!empty()` mistake
* Respect max redirects feed option when fetching with `httpGet()`
* Respect max redirects during SimplePie fetching + fix bypass
bypass fix: `CURLOPT_FOLLOWLOCATION` was moved below so that emulated redirects are enforced.
* Avoid FreshRSS and Minz code in SimplePie
https://github.com/FreshRSS/FreshRSS/pull/8400#discussion_r2935375980
* Corrected hook code
* phpdoc wrong return type
* Add CIDR support in allowlist
* Implement simple DNS caching
* Suppress `dns_get_record()` warnings
* A bit of proof-reading
* Minor typo
* Fix proxy logic
* Fix HTTP POST redirect logic
* Proofread checkCIDR
Add fixes for several situations
* Remove credentials from URL in logs
* Ensure `CURLOPT_FOLLOWLOCATION` is `false` by setting it at the end
* Fix codesniffer long line
* Fix potential bypass due to wrong return value
If there were no records returned by `dns_get_record()`, no overrides to `CURLOPT_RESOLVE` would get passed,
and a potential bypass could occur, when cURL would try to resolve the domain by itself.
* Put the URL at the end in logs
* Add documentation and environment variable support
* make readme
* Fix wrong behavior in case of IP
* Fix duplicate selector in CSS
* Minor type check change
* i18n fr, en
* Minor type check change
* Fix whitespace i18n fr
* make fix-all
* Fix `$ips_ok` not being returned after domain records were cached
* make readme
* PHPStan fix
* make readme
* Minor syntax in SimplePie
* Only return `null` if no allowed IPs were found
* Add wildcard *, help message
* Consistent docs with help message
* i18n: pl
* SimplePie compatibility PHP 7.2
* make fix-all
* Sync SimplePie
* https://github.com/FreshRSS/simplepie/pull/76
* 💥 Breaking change in the Changelog
* Document `INTERNAL_HOST_ALLOWLIST` in Docker docs
* Remove `Cookie` and `Authorization` headers in `httpGet()` during cross-origin redirect
* Minor whitespace
And same comment convention than below
* Remove authentication headers and change POST to GET on redirect in SimplePie
* Remove .local in Docker example
* Fill in default ports when comparing URL origins
* Remove .local from other places than the Docker example
* Rewrite WebSub subscribe to use `httpGet()`
* make fix-all
* Also unset `CURLOPT_USERPWD` during redirects
* phpcs fix
* Always unset `CURLOPT_FOLLOWLOCATION`
* Bump SimplePie
https://github.com/FreshRSS/simplepie/pull/78
* Update logic for CURLOPT_FOLLOWLOCATION
* Fix PHPStan
* Changelog fix security section
* Update most common RSS Bridge case
https://hub.docker.com/r/rssbridge/rss-bridge
* Replace misleading 127.0.0.1:8080 example for Docker
This does not make sense for a Docker container
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
101 lines
5.5 KiB
Markdown
101 lines
5.5 KiB
Markdown
# Access control
|
||
|
||
FreshRSS offers three methods of Access control: Form Authentication using JavaScript, HTTP based Authentication, or an uncontrolled state with no authentication required.
|
||
|
||
## Server-side feed fetching & security considerations
|
||
|
||
FreshRSS fetches RSS feeds using server-side HTTP requests (via the cURL library).
|
||
This design allows users to subscribe to feeds hosted not just on the public internet, but also on internal or private networks.
|
||
For example, many users connect FreshRSS to tools like RSS-Bridge, cron jobs, or local automation services such as Node-RED, all of which may run on `localhost` or internal IPs.
|
||
|
||
In self-hosted, single-user setups, this behaviour is expected and usually safe.
|
||
However, in **multi-user or public-facing instances**, this same functionality can introduce a potential security risk known as **Server-Side Request Forgery (SSRF)**.
|
||
|
||
In an SSRF scenario, a malicious user could submit a feed URL that points to internal network services, such as:
|
||
|
||
* `http://127.0.0.1` (loopback)
|
||
* `http://169.254.169.254` (cloud metadata services)
|
||
* Other services not meant to be exposed externally
|
||
|
||
FreshRSS blocks these unsafe requests by default, due to the security risks written above, though certain hosts can be excluded from the block by going to `Settings > System configuration` and making changes to the internal host allowlist.
|
||
Entries are separated by newlines, and must be a `host:port` combination, for example `127.0.0.1:8080`, `rss-bridge:80` or a CIDR notation ('0.0.0.0/0' to allow any IPv4, `::/0` to allow any IPv6).
|
||
Another option is to set an `INTERNAL_HOST_ALLOWLIST` environment variable (e.g. in your docker-compose file). The entries there are separated by whitespace instead.
|
||
Adding `*` disables the SSRF check completely (unsafe).
|
||
|
||
### Recommended mitigations for shared/public setups
|
||
|
||
* Run FreshRSS behind a firewall or reverse proxy that blocks access to internal IP ranges
|
||
* Use container isolation or a virtual network to prevent access to sensitive endpoints
|
||
* Avoid exposing your FreshRSS instance directly to the internet unless you fully trust all users
|
||
|
||
These steps are not necessary for trusted, single-user deployments, but are strongly advised in shared environments.
|
||
|
||
> _Note: For Docker-based deployments, `localhost` refers to the container’s internal network._
|
||
|
||
|
||
## Form Authentication
|
||
|
||
Form Authentication requires the use of JavaScript. It will work on any supported version of PHP.
|
||
|
||
This option requires nothing more than selecting Form Authentication during installation.
|
||
|
||
## HTTP Authentication
|
||
|
||
You may also choose to use HTTP Authentication provided by your web server.[^1]
|
||
|
||
If you choose to use this option, create a `./p/i/.htaccess` file with a matching `.htpasswd` file.
|
||
|
||
You can also use any authentication backend as long as your web server exposes the authenticated user through the `REMOTE_USER` variable.
|
||
|
||
By default, new users allowed by HTTP Basic Auth will automatically be created in FreshRSS the first time they log in.
|
||
You can disable auto-registration of new users by setting `http_auth_auto_register` to `false` in the configuration file.
|
||
When using auto-registration, you can optionally use the `http_auth_auto_register_email_field` to specify the name of a web server
|
||
variable containing the email address of the authenticated user (e.g. `REMOTE_USER_EMAIL`).
|
||
|
||
## External Authentication
|
||
|
||
You may also use the `Remote-User` or `X-WebAuth-User` HTTP headers to integrate with a reverse-proxy’s authentication.
|
||
|
||
To enable this feature, you need to add the IP range (in CIDR notation) of your trusted proxy in the `trusted_sources` configuration option.
|
||
To allow only one IPv4, you can use a `/32` like this: `trusted_sources => [ '192.168.1.10/32' ]`.
|
||
Likewise to allow only one IPv6, you can use a `/128` like this: `trusted_sources => [ '::1/128' ]`.
|
||
|
||
You may alternatively pass a `TRUSTED_PROXY` environment variable in a format compatible with [Apache’s `mod_remoteip` `RemoteIPInternalProxy`](https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxy).
|
||
|
||
> ☠️ WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access.
|
||
|
||
### Authentik Proxy Provider
|
||
|
||
If you wish to use external authentication with [Authentik](https://goauthentik.io/),
|
||
you will need to configure a [Proxy Provider](https://docs.goauthentik.io/add-secure-apps/providers/proxy/) with a _Property Mapping_ that tells Authentik to inject the `X-WebAuth-User` HTTP header.
|
||
You can do so with the following expression:
|
||
|
||
```python
|
||
return {
|
||
"ak_proxy": {
|
||
"user_attributes": {
|
||
"additionalHeaders": {
|
||
"X-WebAuth-User": request.user.username,
|
||
}
|
||
}
|
||
}
|
||
}
|
||
```
|
||
|
||
See also another option for Authentik, [using the OAuth2 Provider with OpenID](16_OpenID-Connect-Authentik.md).
|
||
|
||
## No Authentication
|
||
|
||
Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin.
|
||
It is never advisable to not use any form of authentication, but **never** choose this option on a server that is able to be accessed outside of your home network.
|
||
|
||
## OpenID Connect
|
||
|
||
* See [dedicated section](16_OpenID-Connect.md).
|
||
|
||
## Hints
|
||
|
||
You can switch your authentication method at any time by editing the `./data/config.php` file, on the line that begins `'auth_type'`.
|
||
|
||
[^1]: See [the Apache documentation](https://httpd.apache.org/docs/trunk/howto/auth.html)
|