FreshRSS icon indicating copy to clipboard operation
FreshRSS copied to clipboard

Published 20 hours ago verified publisher icon FreshRSS

[BUG] Reverse proxy auth not working with update to 1.20.0

Open Tuphal opened this issue 2 years ago • 4 comments

In my FreshRSS feeds I saw the update to 1.20.0 available. After updating to v1.20.0 I could not login anymore with ProxyAuth.

I get the "403 forbidden" error: grafik

Before the update everything worked. I use nginx proxy manager with following header: proxy_set_header X-WEBAUTH-USER $authentik_username;

I tried with defining the username directly in the reverse proxy, but the error is the same: proxy_set_header X-WEBAUTH-USER FreshRSSusername; same with oder header: proxy_set_header REMOTE-USER FreshRSSusername;

Changing config.php 'auth_type' => 'none', I can see the service running without issues.

Different ProxyAuth-Services (tandoor recipes, calibre-web,..) are working, therefore GoAuthentik can be excluded. Also it worked 5min before the FreshRSS-update.

What am I missing?

Tuphal avatar Sep 23 '22 08:09 Tuphal

tinkering around I found the issue: 'trusted_sources' did not have the internal docker network mentioned, which differs from the LAN address range.

There were no changes on the network, which made this issue not clear.

Tuphal avatar Oct 31 '22 07:10 Tuphal

Thanks for the investigation, @Tuphal

Alkarex avatar Oct 31 '22 07:10 Alkarex

Maybe we should add a hint in the error message

Alkarex avatar Oct 31 '22 07:10 Alkarex

I managed to solve this with a bunkerweb/authelia setup by replacing Remote-User with X-WebAuth-User (accordingly to docs, thanks). Maybe also worth adding config.custom.php, which I hope I configured the right way

  'trusted_sources' => [
    'auth_type' => 'http_auth',
    // Trust docker networks
    "172.100.0.0/8"
  ],

artyorsh avatar Nov 17 '22 20:11 artyorsh

Hello, There has been many changes, and this issue might be resolved now, together with better documentation. Could anyone confirm with FreshRSS version 1.23 or edge?

Alkarex avatar Mar 14 '24 09:03 Alkarex

ping @Tuphal @artyorsh

math-GH avatar Apr 12 '24 18:04 math-GH

I'm running freshrss:1.23.1-ls218 (LinxuServer repo) without issues since my second post here (fixing trusted_sources).

FreshRSS config:

'auth_type' => 'http_auth',
# Trusted IPs that are allowed to send unsafe headers
# Please read the documentation, before configuring this
# https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html
'trusted_sources' => [
	'127.0.0.0/8',
	'172.0.0.1/8',
	'10.10.20.3/32',
	'10.10.20.103/32',
	'::1/128',
],

NPM config:

proxy_set_header X-WEBAUTH-USER $authentik_username;

Thanks for the work on this amazing software !

Tuphal avatar Apr 14 '24 18:04 Tuphal