[Feature] Add Support For OpenID Connect (OIDC) Reverse Proxy Configurations To The Docker Image

[arazilsongweaver]

Is your feature request related to a problem? Please describe.
If you use a reverse proxy in front of the FreshRSS "edge" Docker image with OpenID Connect (OIDC) enabled through Docker environment variables, you will repeatedly get these console messages upon site access:

freshrss  | [Mon Jul 10 00:24:19.605840 2023] [auth_openidc:warn] [pid NNN] [client 172.NNN.NNN.NNN:59072] oidc_check_x_forwarded_hdr: header X-Forwarded-Host received but OIDCXForwardedHeaders not configured for it
freshrss  | [Mon Jul 10 00:24:19.605842 2023] [auth_openidc:warn] [pid NNN] [client 172.NNN.NNN.NNN:59072] oidc_check_x_forwarded_hdr: header X-Forwarded-Proto received but OIDCXForwardedHeaders not configured for it

Describe the solution you’d like

The FreshRSS Docker image should have a "REV_PROXY" variable that, when set to "true", adds "OIDCXForwardedHeaders" and any other requisite configuration to the Apache configuration file.

Describe alternatives you’ve considered

The alternative is to write a custom Apache configuration file with the reverse proxy changes and bind mount that custom file into the image at "/etc/apache2/sites-available/FreshRSS.Apache.conf".

Additional context
We're using Caddy as the reverse proxy and Keycloak as the OpenID server.

[Alkarex]

I have not had time to look at the issue yet, but maybe something for @otaconix

[otaconix]

I'll take a look. I use more or less the same stack (Caddy as reverse proxy + Authentik as IdP), so I may be getting the same warnings.

[otaconix]

Note that if and when my PR gets merged, and you start using this environment variable, you may need to update your identity provider's configuration (since FreshRSS will now use a redirect_uri with the correct protocol, which may be https, and which was probably http prior to using this environment variable).

[Alkarex]

@arazilsongweaver would you be able to test #5523 ?

[arazilsongweaver]

@Alkarex FreshRSS is working as expected after applying the patch from #5523. I have encountered no OIDC errors in my brief functionality test of the platform.

Testing method: I added the proposed Apache configuration file to the existing FreshRSS "edge" image via a bind mount. I also added the following to my environment variables file: OIDC_X_FORWARDED_HEADERS="X-Forwarded-Host X-Forwarded-Proto"

Thanks for getting this fixed.

[Alkarex]

Thanks for the test!

[Alkarex]

Related change: #5549
Tests and feedback welcome