Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Add Support For OpenID Connect (OIDC) Reverse Proxy Configurations To The Docker Image #5516

Closed
arazilsongweaver opened this issue Jul 10, 2023 · 7 comments · Fixed by #5523
Closed

[Feature] Add Support For OpenID Connect (OIDC) Reverse Proxy Configurations To The Docker Image #5516

arazilsongweaver opened this issue Jul 10, 2023 · 7 comments · Fixed by #5523
Labels
Security 🛡️
Milestone
1.22.0

Comments

@arazilsongweaver
Copy link

Is your feature request related to a problem? Please describe.
If you use a reverse proxy in front of the FreshRSS "edge" Docker image with OpenID Connect (OIDC) enabled through Docker environment variables, you will repeatedly get these console messages upon site access:

freshrss  | [Mon Jul 10 00:24:19.605840 2023] [auth_openidc:warn] [pid NNN] [client 172.NNN.NNN.NNN:59072] oidc_check_x_forwarded_hdr: header X-Forwarded-Host received but OIDCXForwardedHeaders not configured for it
freshrss  | [Mon Jul 10 00:24:19.605842 2023] [auth_openidc:warn] [pid NNN] [client 172.NNN.NNN.NNN:59072] oidc_check_x_forwarded_hdr: header X-Forwarded-Proto received but OIDCXForwardedHeaders not configured for it

Describe the solution you’d like

The FreshRSS Docker image should have a "REV_PROXY" variable that, when set to "true", adds "OIDCXForwardedHeaders" and any other requisite configuration to the Apache configuration file.

Describe alternatives you’ve considered

The alternative is to write a custom Apache configuration file with the reverse proxy changes and bind mount that custom file into the image at "/etc/apache2/sites-available/FreshRSS.Apache.conf".

Additional context
We're using Caddy as the reverse proxy and Keycloak as the OpenID server.
@Alkarex Alkarex added this to the 1.22.0 milestone Jul 10, 2023
@Alkarex
Copy link
Member

Alkarex commented Jul 11, 2023

I have not had time to look at the issue yet, but maybe something for @otaconix

@otaconix
Copy link
Contributor

I'll take a look. I use more or less the same stack (Caddy as reverse proxy + Authentik as IdP), so I may be getting the same warnings.

otaconix pushed a commit to otaconix/FreshRSS that referenced this issue Jul 11, 2023
Add OIDC_X_FORWARDED_HEADERS environment variable (fixes FreshRSS#5516)
b076448 
The mod_auth_oidc needs an additional directive (`OIDCXForwardedHeaders`)
in case FreshRSS is running behind a reverse proxy, so it knows what host,
protocol and port were used to access it. This information is then used
in the `redirect_uri` when directing the user agent (browser) to the identity
provider for authentication.

Please note that, if you are running FreshRSS behind a reverse proxy that
handles TLS, you may need to update your identity provider's configuration so
it accepts `https://...` as a `redirect_uri`.
@otaconix otaconix mentioned this issue Jul 11, 2023
Merged
@otaconix
Copy link
Contributor

otaconix commented Jul 11, 2023
edited

Note that if and when my PR gets merged, and you start using this environment variable, you may need to update your identity provider's configuration (since FreshRSS will now use a redirect_uri with the correct protocol, which may be https, and which was probably http prior to using this environment variable).

@Alkarex
Copy link
Member

Alkarex commented Jul 11, 2023

@arazilsongweaver would you be able to test #5523 ?

@arazilsongweaver
Copy link
Author

arazilsongweaver commented Jul 12, 2023
edited

@Alkarex FreshRSS is working as expected after applying the patch from #5523. I have encountered no OIDC errors in my brief functionality test of the platform.

Testing method: I added the proposed Apache configuration file to the existing FreshRSS "edge" image via a bind mount. I also added the following to my environment variables file: OIDC_X_FORWARDED_HEADERS="X-Forwarded-Host X-Forwarded-Proto"

Thanks for getting this fixed.

@Alkarex
Copy link
Member

Alkarex commented Jul 16, 2023

Thanks for the test!

Alkarex added a commit that referenced this issue Jul 16, 2023
@otaconix @Alkarex
Add OIDC_X_FORWARDED_HEADERS environment variable (fixes #5516) (#5523)
a066be9 
* Add OIDC_X_FORWARDED_HEADERS environment variable (fixes #5516)

The mod_auth_oidc needs an additional directive (`OIDCXForwardedHeaders`)
in case FreshRSS is running behind a reverse proxy, so it knows what host,
protocol and port were used to access it. This information is then used
in the `redirect_uri` when directing the user agent (browser) to the identity
provider for authentication.

Please note that, if you are running FreshRSS behind a reverse proxy that
handles TLS, you may need to update your identity provider's configuration so
it accepts `https://...` as a `redirect_uri`.

* Add link to mod_auth_openidc's documentation for the OIDCXForwardedHeaders Apache configuration directive

* Minor spelling

---------

Co-authored-by: Stefan Zwanenburg <stefan@zwanenburg.info>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
@Alkarex
Copy link
Member

Alkarex commented Jul 26, 2023

Related change: #5549
Tests and feedback welcome

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security 🛡️
Projects
None yet
Milestone
1.22.0
Development

Successfully merging a pull request may close this issue.

Add OIDC_X_FORWARDED_HEADERS environment variable (fixes #5516) otaconix/FreshRSS
3 participants
@Alkarex @otaconix @arazilsongweaver