Home Verkennen Help
Inloggen
LBP
/
FressRSS
spiegel van https://github.com/FreshRSS/FreshRSS.git
4
0
Vork 0
Bestanden Issues 0 Wiki
Bladeren bron

Add OIDC_X_FORWARDED_HEADERS environment variable (fixes #5516) (#5523)

* Add OIDC_X_FORWARDED_HEADERS environment variable (fixes #5516)

The mod_auth_oidc needs an additional directive (`OIDCXForwardedHeaders`)
in case FreshRSS is running behind a reverse proxy, so it knows what host,
protocol and port were used to access it. This information is then used
in the `redirect_uri` when directing the user agent (browser) to the identity
provider for authentication.

Please note that, if you are running FreshRSS behind a reverse proxy that
handles TLS, you may need to update your identity provider's configuration so
it accepts `https://...` as a `redirect_uri`.

* Add link to mod_auth_openidc's documentation for the OIDCXForwardedHeaders Apache configuration directive

* Minor spelling

---------

Co-authored-by: Stefan Zwanenburg <stefan@zwanenburg.info>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
otaconix 2 jaren geleden
bovenliggende
db5d458cb2
commit
a066be93b0
2 gewijzigde bestanden met toevoegingen van 5 en 0 verwijderingen
Zij-aan-zij weergave Toon Diff Stats
  1. 4 0
      Docker/FreshRSS.Apache.conf
  2. 1 0
      docs/en/admins/16_OpenID-Connect.md

+ 4 - 0
Docker/FreshRSS.Apache.conf
Bestand weergeven 

@@ -41,6 +41,10 @@ TraceEnable Off
 
 	<IfDefine !Test_${VStart}OIDC_SCOPES${VEnd}>
 
 		OIDCScope "${OIDC_SCOPES}"
 
 	</IfDefine>
 
+	Define "Test_${OIDC_X_FORWARDED_HEADERS}"
 
+	<IfDefine !Test_${VStart}OIDC_X_FORWARDED_HEADERS${VEnd}>
 
+		OIDCXForwardedHeaders ${OIDC_X_FORWARDED_HEADERS}
 
+	</IfDefine>
 
 
 	OIDCRefreshAccessTokenBeforeExpiry 30
 
 </IfDefine>

+ 1 - 0
docs/en/admins/16_OpenID-Connect.md
Bestand weergeven 

@@ -22,6 +22,7 @@ OIDC support in Docker is activated by the presence of a non-empty non-zero `OID
 
 * `OIDC_CLIENT_CRYPTO_KEY`: An opaque key used for internal encryption.
 
 * `OIDC_REMOTE_USER_CLAIM`: The claim to use as the username within FreshRSS. Defaults to `preferred_username`. Depending on what you choose here, and your identity provider, you’ll need to adjust the scopes you request so that this claim will be accessible. Refer to your identity provider’s documentation.
 
 * `OIDC_SCOPES`: The OIDC scopes to request. Defaults to `openid`. As mentioned previously, make sure the scopes you pick contain whatever `OIDC_REMOTE_USER_CLAIM` you chose.
 
+* `OIDC_X_FORWARDED_HEADERS`: Optional. Use when running FreshRSS is behind a reverse proxy, so the OIDC module can determine what hostname, port and protocol were used to access FreshRSS. Must be one or more of `Forwarded`, `X-Forwarded-Host`, `X-Forwarded-Port` or `X-Forwarded-Proto` (separate multiple values with a space). See [mod_auth_openidc’s documentation for details](https://github.com/OpenIDC/mod_auth_openidc/blob/72c9f479c2d228477ff0a9518964f61879c83fb6/auth_openidc.conf#L1041-L1048).
 
 
 You may add additional custom configuration in a new `./FreshRSS/p/i/.htaccess` file.