-
-
Notifications
You must be signed in to change notification settings - Fork 769
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Add Support For OpenID Connect (OIDC) Reverse Proxy Configurations To The Docker Image #5516
Comments
I have not had time to look at the issue yet, but maybe something for @otaconix |
I'll take a look. I use more or less the same stack (Caddy as reverse proxy + Authentik as IdP), so I may be getting the same warnings. |
The mod_auth_oidc needs an additional directive (`OIDCXForwardedHeaders`) in case FreshRSS is running behind a reverse proxy, so it knows what host, protocol and port were used to access it. This information is then used in the `redirect_uri` when directing the user agent (browser) to the identity provider for authentication. Please note that, if you are running FreshRSS behind a reverse proxy that handles TLS, you may need to update your identity provider's configuration so it accepts `https://...` as a `redirect_uri`.
Note that if and when my PR gets merged, and you start using this environment variable, you may need to update your identity provider's configuration (since FreshRSS will now use a |
@arazilsongweaver would you be able to test #5523 ? |
@Alkarex FreshRSS is working as expected after applying the patch from #5523. I have encountered no OIDC errors in my brief functionality test of the platform. Testing method: I added the proposed Apache configuration file to the existing FreshRSS "edge" image via a bind mount. I also added the following to my environment variables file: Thanks for getting this fixed. |
Thanks for the test! |
* Add OIDC_X_FORWARDED_HEADERS environment variable (fixes #5516) The mod_auth_oidc needs an additional directive (`OIDCXForwardedHeaders`) in case FreshRSS is running behind a reverse proxy, so it knows what host, protocol and port were used to access it. This information is then used in the `redirect_uri` when directing the user agent (browser) to the identity provider for authentication. Please note that, if you are running FreshRSS behind a reverse proxy that handles TLS, you may need to update your identity provider's configuration so it accepts `https://...` as a `redirect_uri`. * Add link to mod_auth_openidc's documentation for the OIDCXForwardedHeaders Apache configuration directive * Minor spelling --------- Co-authored-by: Stefan Zwanenburg <stefan@zwanenburg.info> Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Related change: #5549 |
Is your feature request related to a problem? Please describe.
If you use a reverse proxy in front of the FreshRSS "edge" Docker image with OpenID Connect (OIDC) enabled through Docker environment variables, you will repeatedly get these console messages upon site access:
Describe the solution you’d like
The FreshRSS Docker image should have a "REV_PROXY" variable that, when set to "true", adds "OIDCXForwardedHeaders" and any other requisite configuration to the Apache configuration file.
Describe alternatives you’ve considered
The alternative is to write a custom Apache configuration file with the reverse proxy changes and bind mount that custom file into the image at "/etc/apache2/sites-available/FreshRSS.Apache.conf".
Additional context
We're using Caddy as the reverse proxy and Keycloak as the OpenID server.
The text was updated successfully, but these errors were encountered: