mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-05-15 02:33:51 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
bbb28b5edae3c834fe36f034f434d3e47eda7ceb
FreshRSS/docs/en/admins/10_ServerConfig.md
polybjorn b08c4ef243 docs: standardise English heading style and surface hidden pages (#8766) 
Apply sentence case to all H1s in docs/en/ and remove redundant "FreshRSS"
from titles where the docs site context already implies it. Align the three
section index titles to "Administrator/Developer/User manual", matching
the existing root H1 "FreshRSS manual (English)".

Add missing H1s to two pages that were silently dropped from the sidebar:
the user FAQ and the Caddy reverse proxy page. The sidebar template uses
page.title (derived from H1 by jekyll-titles-from-headings), so pages
without an H1 had title=nil and were skipped.

Update sidebar parent labels in docs_nav.html and the chapter list in
en/index.md to use the new "* manual" naming. Update link text in section
indexes that referenced the old H1s. Bundle two grammar fixes encountered
along the way: "an User Interface" -> "a user interface", and drop the
awkward "the" in "Configuring the email address validation".

EN only. No filenames, URLs, or anchor targets changed (anchors come from
H2 and below, which are untouched). FR is generated from EN via po4a and
will be regenerated separately.

Co-authored-by: Bjørn A. Andersen <polybjorn@users.noreply.github.com>
2026-05-02 22:23:35 +02:00

4.4 KiB
Raw Blame History

Apache/Nginx configuration files

For improved security, remove sensitive information in the Web server logs by using our sensitive-log.sh script, on the model of our reference Apache configuration used for our official Docker images (see CustomLog).

Apache configuration

This is an example Apache virtual hosts configuration file. It covers HTTP and HTTPS configuration. For more details, check our reference Apache configuration used for our official Docker images.

<VirtualHost *:80>
	DocumentRoot /var/www/html/

	#Default site...

	ErrorLog ${APACHE_LOG_DIR}/error.default.log
	CustomLog ${APACHE_LOG_DIR}/access.default.log vhost_combined
</VirtualHost>

<VirtualHost *:80>
	ServerName rss.example.net
	DocumentRoot /path/to/FreshRSS/p/

	<Directory /path/to/FreshRSS/p>
		AllowOverride AuthConfig FileInfo Indexes Limit
		Require all granted
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/freshrss_error.log
	# Consider piping the logs for cleaning passwords; cf. comment higher up.
	CustomLog ${APACHE_LOG_DIR}/freshrss_access.log combined

	AllowEncodedSlashes On
</VirtualHost>

<IfModule mod_ssl.c>
	<VirtualHost *:443>
		ServerName rss.example.net
		DocumentRoot /path/to/FreshRSS/p/

		<Directory /path/to/FreshRSS/p>
			AllowOverride AuthConfig FileInfo Indexes Limit
			Require all granted
		</Directory>

		ErrorLog ${APACHE_LOG_DIR}/freshrss_error.log
		CustomLog ${APACHE_LOG_DIR}/freshrss_access.log combined

		<IfModule mod_http2.c>
			Protocols h2 http/1.1
		</IfModule>

		# For the API
		AllowEncodedSlashes On

		SSLEngine on
		SSLCompression off
		SSLCertificateFile /path/to/server.crt
		SSLCertificateKeyFile /path/to/server.key
		# Additional SSL configuration, e.g. with LetsEncrypt
	</VirtualHost>
</IfModule>

Nginx configuration

This is an example nginx configuration file. It covers HTTP, HTTPS, and php-fpm configuration.

You can find simpler config file but they may be incompatible with FreshRSS API.

server {
	listen 80;
	listen 443 ssl;

	# HTTPS configuration
	ssl on;
	ssl_certificate /etc/nginx/server.crt;
	ssl_certificate_key /etc/nginx/server.key;

	# your servers URL(s)
	server_name rss.example.net;

	# the folder p of your FreshRSS installation
	root /srv/FreshRSS/p/;

	index index.php index.html index.htm;

	# nginx log files
	access_log /var/log/nginx/rss.access.log;
	error_log /var/log/nginx/rss.error.log;

	# php files handling
	# this regex is mandatory because of the API
	location ~ ^.+?\.php(/.*)?$ {
		fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
		fastcgi_split_path_info ^(.+\.php)(/.*)$;
		# By default, the variable PATH_INFO is not set under PHP-FPM
		# But FreshRSS APIs greader.php and misc.php need it. If you have a “Bad Request” error, double check this var!
		# NOTE: the separate $path_info variable is required. For more details, see:
		# https://trac.nginx.org/nginx/ticket/321
		set $path_info $fastcgi_path_info;
		fastcgi_param PATH_INFO $path_info;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	}

	location / {
		try_files $uri $uri/ index.php;
	}
}

Security

Avoid overwriting the Content-Security-Policy header with directives such as more_set_headers "Content-Security-Policy: ..." or add_header 'Content-Security-Policy' '...'.

Example of good CSP: default-src 'self'; frame-ancestors 'self'

Bad CSP: upgrade-insecure-requests

Debug your own CSP header:

If youre aware of the risks and want to ignore the warning shown to admin users, change the suppress_csp_warning setting to true in ./data/config.php.

Note that FreshRSS already ships with a secure CSP configuration, therefore its not necessary to make any adjustments to CSP unless youre writing an extension.

For that, look into the Minz_ActionController::_csp function and use it in individual actions.

Reference in New Issue View Git Blame Copy Permalink