You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been struggling with setting up FreshRSS with proxy authentication through Authentik. My system, for the sake of this discussion, consists of NPM, Authentik and FreshRSS all running in docker containers on the same physical server (internal IP: 10.0.0.11), in the same Docker network.
Here's the custom NPM configuration set in the FreshRSS proxy host:
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
proxy_set_header X-WebAuth-User $authentik_username;
##############################
# authentik-specific config
##############################
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://10.0.0.11:9999/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://auth.mydomain.com/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
The idea is for Authentik to pass the X-WebAuth-User header, which FreshRSS can accept for authentication purposes. However, in order for that to be permitted, FreshRSS relies on a list of trusted proxies, which, in my case, contains the internal network (10.0.0.0/8). Nevertheless, when debugging the login process, FreshRSS shows my public IP address in the REMOTE_ADDR php variable/header – which is not in the trusted proxies list and thus I cannot login.
Here's what the FreshRSS developer said in the issue I liked above:
Well, I believe REMOTE_ADDR is the only address visible from PHP, so that is up to your proxy. But if you whitelist that IP, you should make sure your proxy does not forward those headers if they appear from an external request.
So, here's the question: is there a way to substitute my public IP with that of NPM? Otherwise, no one would be able to use/access FreshRSS outside of my home.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello all,
I've been struggling with setting up FreshRSS with proxy authentication through Authentik. My system, for the sake of this discussion, consists of NPM, Authentik and FreshRSS all running in docker containers on the same physical server (internal IP: 10.0.0.11), in the same Docker network.
Here's the custom NPM configuration set in the FreshRSS proxy host:
The idea is for Authentik to pass the
X-WebAuth-Userheader, which FreshRSS can accept for authentication purposes. However, in order for that to be permitted, FreshRSS relies on a list of trusted proxies, which, in my case, contains the internal network (10.0.0.0/8). Nevertheless, when debugging the login process, FreshRSS shows my public IP address in theREMOTE_ADDRphp variable/header – which is not in the trusted proxies list and thus I cannot login.Here's what the FreshRSS developer said in the issue I liked above:
So, here's the question: is there a way to substitute my public IP with that of NPM? Otherwise, no one would be able to use/access FreshRSS outside of my home.
Thank you!
Beta Was this translation helpful? Give feedback.
All reactions