Add new option for CURLOPT_HTTPPROXYTUNNEL

[ShaddyDC]

Describe the bug

I'm running FreshRSS in a small k8s cluster. By default, everything works fine besides some feeds that fail due to cloudflare challenges. I've had good experiences with just using a vpn for those, so I'm trying to use my vpn over gluetun as a proxy like this #3965 :

  'curl_options' => 
  array (
CURLOPT_PROXYTYPE => CURLPROXY_HTTP,    
CURLOPT_PROXY => 'gluetun-9d6e4ac1.download.svc.cluster.local',    
CURLOPT_PROXYPORT => 8888,    
  ),

However, I then get the error below, which looks similar to #3965

A feed could not be found at `https://hnrss.org/frontpage`; the status code is `200` and content-type is `` [https://hnrss.org/frontpage] 

When trying to use curl directly in the pod, it works:

verbose curl command with proxy

curl --proxy gluetun-9d6e4ac1.download.svc.cluster.local:8888 https://hnrss.org/frontpage -v
*   Trying 10.43.86.62:8888...
* Connected to gluetun-9d6e4ac1.download.svc.cluster.local (10.43.86.62) port 8888 (#0)
* allocate connect buffer
* Establish HTTP proxy tunnel to hnrss.org:443
> CONNECT hnrss.org:443 HTTP/1.1
> Host: hnrss.org:443
> User-Agent: curl/7.88.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Sat, 11 Jan 2025 01:07:56 GMT
< Transfer-Encoding: chunked
* Ignoring Transfer-Encoding in CONNECT 200 response
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=hnrss.org
*  start date: Dec  9 08:18:53 2024 GMT
*  expire date: Mar  9 08:18:52 2025 GMT
*  subjectAltName: host "hnrss.org" matched cert's "hnrss.org"
*  issuer: C=US; O=Let's Encrypt; CN=R10
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /frontpage]
* h2h3 [:scheme: https]
* h2h3 [:authority: hnrss.org]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55de7a757ce0)
> GET /frontpage HTTP/2
> Host: hnrss.org
> user-agent: curl/7.88.1
> accept: */*
> 
< HTTP/2 200 
< server: nginx
< date: Sat, 11 Jan 2025 01:07:56 GMT
< content-type: application/xml; charset=utf-8
< last-modified: Fri, 10 Jan 2025 22:48:13 GMT
< x-algolia-url: https://hn.algolia.com/api/v1/search_by_date?numericFilters=created_at_i%3E%3D1735952657&restrictSearchableAttributes=title&tags=front_page
< expires: Sat, 11 Jan 2025 01:19:17 GMT
< cache-control: max-age=900
< x-cache: HIT
< 
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: Front Page</title><link>https://news.ycombinator.com/</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Sat, 11 Jan 2025 01:04:17 +0000</lastBuildDate><atom:link href="https://hnrss.org/frontpage" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[Portals and Quake]]></title><description><![CDATA[
<p>Article URL: <a href="https://30fps.net/pages/pvs-portals-and-quake/">https://30fps.net/pages/pvs-portals-and-quake/</a></p>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=42661185">https://news.ycombinator.com/item?id=42661185</a></p>
<p>Points: 39</p>
<p># Comments: 1</p>
]]></description><pubDate>Fri, 10 Jan 2025 22:48:13 +0000</pubDate><link>https://30fps.net/pages/pvs-portals-and-quake/</link><dc:creator>ibobev</dc:creator><comments>https://news.ycombinator.com/item?id=42661185</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=42661185</guid></item>(more items)</* Connection #0 to host gluetun-9d6e4ac1.download.svc.cluster.local left intact
channel></rss>

To Reproduce

Given the use of k8s, I think it might be a bit hard to reproduce the exact setup. I figured I'd ask here first for general advice to see if I'm missing something stupid or obvious. I'm happy to try to give a reproduction case using gluetun, free vpn servers, and docker compose if it helps (in hopes that the problem isn't related to something else :' ) )

Expected behavior

When using a proxy configured via curl_options, FreshRSS should successfully parse feeds that return 200 status codes with valid RSS content (as demonstrated by the working curl command).

FreshRSS version

1.25.0

System information

• Database version: SQLite
• PHP version: 8.2.26
• Installation type: Docker
• Web server type: Apache
• Device: Laptop
• OS: debian bookworm on 6.1.0-25-amd64 with k3s v1.31.4+k3s1
• Browser: Firefox 133.

Additional context

I hope this is the right place to ask this since I've seen related issues, but I'm happy to move this to a discussion instead.

[ShaddyDC]

For completeness' sake, the issue also exists if I use the UI per-feed proxy settings without having a global proxy configured, so I assume I didn't put the values in wrong and it's just that the type of proxy is not supported for some reason or there are other connection issues.

[ShaddyDC]

I was thinking I might bypass the issue by setting the proxy differently via HTTP_PROXY and HTTPS_PROXY for the pod. Generally using the system (apt update, http_proxy=$HTTP_PROXY curl ifconfig.me etc) inside the pod works fine, but feeds again fail to update with the same error.
That being said, knowing that you can in general configure a global proxy with those environment variables often seems a lot more convenient than editing the config.

[ShaddyDC]

I've given up on finding a solution myself and am just using a separate gluetun instance to have a vpn only for freshrss, which is kind of a shame, but it works. I unfortunately don't have the time to investigate more deeply atm.
I'd like if this is fixed in the future, so it would be nice to keep the issue for that, but I've got a working workaround and am not in need of help anymore, so you can close it if that's your preference.

[Alkarex]

Have you checked whether the FreshRSS requests were actually going through your proxy?

You can also use the proxy options at feed level.
Related: #7231 (tests welcome)

[ShaddyDC]

The error persists with that branch

I've used this docker compose file (with the vpn secret removed) to build the right freshrss version (many thanks for including the build parts in the template. It was very convenient!)

compose file

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    # line above must be uncommented to allow external containers to connect.
    # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    # volumes:
    #   - /yourpath:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=SUPERSECRET
      - TZ=Europe/Berlin
      - FIREWALL_OUTBOUND_SUBNETS=10.0.0.0/8
      - HTTPPROXY=on
      # Server list updater
      # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
      # - UPDATER_PERIOD=
  freshrss:
    image: freshrss/freshrss:edge
    # Optional build section if you want to build the image locally:
    build:
      # Pick #latest (stable release) or #edge (rolling release) or a specific release like #1.21.0
      context: https://github.com/Alkarex/FreshRSS.git#curl-proxy-options
      dockerfile: Docker/Dockerfile # -Alpine
    container_name: freshrss
    restart: always
    logging:
      options:
        max-size: 10m
    # volumes:
    #   # Recommended volume for FreshRSS persistent data such as configuration and SQLite databases
    #   - data:/var/www/FreshRSS/data
    #   # Optional volume for storing third-party extensions
    #   - extensions:/var/www/FreshRSS/extensions
    #   # Optional file providing custom global settings (used before a FreshRSS install)
    #   - ./config.custom.php:/var/www/FreshRSS/data/config.custom.php
    #   # Optional file providing custom user settings (used before a new user is created)
    #   - ./config-user.custom.php:/var/www/FreshRSS/data/config-user.custom.php
    ports:
      # If you want to open a port 8080 on the local machine:
      - "8080:80"
    environment:
      # A timezone http://php.net/timezones (default is UTC)
      TZ: Europe/Berlin
      # Cron job to refresh feeds at specified minutes
      # CRON_MIN: '2,32'
      # 'development' for additional logs; default is 'production'
      FRESHRSS_ENV: development
      # Optional advanced parameter controlling the internal Apache listening port
      LISTEN: 0.0.0.0:80
      # Optional parameter, remove for automatic settings, set to 0 to disable,
      # or (if you use a proxy) to a space-separated list of trusted IP ranges
      # compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxy
      # This impacts which IP address is logged (X-Forwarded-For or REMOTE_ADDR).
      # This also impacts external authentication methods;
      # see https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html
      TRUSTED_PROXY: 172.16.0.1/12 192.168.0.1/16 10.0.0.1/8
      # Optional parameter, set to 1 to enable OpenID Connect (only available in our Debian image)
      # Requires more environment variables. See https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html
      OIDC_ENABLED: 0
      # Optional auto-install parameters (the Web interface install is recommended instead):
      # ⚠️ Parameters below are only used at the very first run (so far).
      # So if changes are made (or in .env file), first delete the service and volumes.
      # ℹ️ All the --db-* parameters can be omitted if using built-in SQLite database.
      FRESHRSS_INSTALL: |-
        --api-enabled
        --base-url localhost:80
        --default_user admin
        --language en
      FRESHRSS_USER: |-
        --api-password password
        --email admin@example.com
        --language en
        --password password
        --user admin
  caddy:
    image: caddy:2-alpine
    container_name: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    command: caddy reverse-proxy --from :80 --to freshrss:80
    depends_on:
      - freshrss

I ran these steps

Steps

# Build image
$ sudo docker compose build
# Run compose file
$ sudo docker compose up
# to get gluetun ip (while continuing in a different terminal)
$ sudo docker network inspect freshrss-proxy_default
...
            "d158fa7582f63739d1bb0b0cad8cee41312d463c58106657677c049cb343b827": {
                "Name": "gluetun",
                "EndpointID": "8897e02b421a2dbdc118620d46d8687378c179c09a0074f0a4a52d68121165bc",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            }
...
# get shell in freshrss
$  sudo docker compose exec freshrss bash
# install curl
$ apt update && apt install -y curl
$ curl -v ifconfig.me --proxy 172.18.0.2:8888
*   Trying 172.18.0.2:8888...
* Connected to 172.18.0.2 (172.18.0.2) port 8888 (#0)
> GET http://ifconfig.me/ HTTP/1.1
> Host: ifconfig.me
> User-Agent: curl/7.88.1
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Length: 12
< Content-Type: text/plain
< Date: Fri, 17 Jan 2025 22:17:00 GMT
< Via: 1.1 google
< 
* Connection #0 to host 172.18.0.2 left intact
149.22.80.85

which matches the ip gluetun prints as the external ip, so this works fine.

Putting the same proxy into the freshrss feed config gives me the old known error

freshrss  | FreshRSS[55]: [admin] [Fri, 17 Jan 2025 23:13:13 +0100] [warning] --- A feed could not be found at `https://github.com/FreshRSS/FreshRSS/releases.atom`; the status code is `200` and content-type is `` [https://github.com/FreshRSS/FreshRSS/releases.atom]

To get verbose logging (and show that freshrss does indeed go through the proxy):

Config

<?php
 return array (
  'salt' => '2f485cfb65c7f8da57ca9d5a2b4729282cea7e2e',
  'db' => 
  array (
    'type' => 'sqlite',
    'host' => 'localhost',
    'user' => '',
    'password' => '',
    'base' => '',
    'prefix' => 'freshrss_',
    'connection_uri_params' => '',
    'pdo_options' => 
    array (
    ),
  ),
    'curl_options' => 
  array (
              CURLOPT_VERBOSE => true,
  ),
  'default_user' => 'admin',
  'base_url' => 'localhost:80',
  'language' => 'en',
  'api_enabled' => true,
);

Debug log

# ./app/actualize_script.php 
FreshRSS[3016]: [_] [Fri, 17 Jan 2025 23:24:56 +0100] [notice] --- FreshRSS starting feeds actualization at 2025-01-17T23:24:56+01:00
FreshRSS[3016]: [admin] [Fri, 17 Jan 2025 23:24:56 +0100] [notice] --- FreshRSS actualize admin…
*   Trying 172.18.0.2:8888...
* Connected to 172.18.0.2 (172.18.0.2) port 8888 (#0)
* allocate connect buffer
* Establish HTTP proxy tunnel to github.com:443
> CONNECT github.com:443 HTTP/1.1
Host: github.com:443
User-Agent: FreshRSS/1.25.1-dev (Linux; https://freshrss.org)
Proxy-Connection: Keep-Alive

< HTTP/1.1 200 OK
< Date: Fri, 17 Jan 2025 22:24:57 GMT
< Transfer-Encoding: chunked
* Ignoring Transfer-Encoding in CONNECT 200 response
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: offers h2,http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=github.com
*  start date: Mar  7 00:00:00 2024 GMT
*  expire date: Mar  7 23:59:59 2025 GMT
*  subjectAltName: host "github.com" matched cert's "github.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo ECC Domain Validation Secure Server CA
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /FreshRSS/FreshRSS/releases.atom]
* h2h3 [:scheme: https]
* h2h3 [:authority: github.com]
* h2h3 [user-agent: FreshRSS/1.25.1-dev (Linux; https://freshrss.org)]
* h2h3 [accept: */*]
* h2h3 [accept-encoding: deflate, gzip, br, zstd]
* Using Stream ID: 1 (easy handle 0x5632fdb316f0)
> GET /FreshRSS/FreshRSS/releases.atom HTTP/2
Host: github.com
user-agent: FreshRSS/1.25.1-dev (Linux; https://freshrss.org)
accept: */*
accept-encoding: deflate, gzip, br, zstd

* old SSL session ID is stale, removing
< HTTP/2 200 
< server: GitHub.com
< date: Fri, 17 Jan 2025 22:24:58 GMT
< content-type: application/atom+xml; charset=utf-8
< vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
< etag: W/"b9e13e3db7aa57103d0461d2acc317e6"
< cache-control: max-age=0, private, must-revalidate
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: no-referrer-when-downgrade
< content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
< accept-ranges: bytes
< set-cookie: _gh_sess=W2aT00S3wlWfUSTyE%2BkFPVoBjL712l5nkzAPlYqm54n6M10oygsGr7HDe8r%2FU%2Bkq8h%2FhdblhobtjInfBvvhVIFNM8GTk9gwDoHojyZ083f8RhbqtIDthQA3Zohceh43glxTPuh2MwymSvLmnHTJC0RO0Baj7hp%2FsNEXhdQj1WEF62ZqrL1y7EmH9DyHf1uDS%2Bk0XtdnLQiFys%2F6%2BMSsn1YnV8lbTRHZnuG8r6r4duSMI5L2anlStCCSo2DMwF4HMv7iB4S9OC%2BrOkDK1opoXgA%3D%3D--ZHipU0gaJzT7f3sq--r5QCRfy%2F558EHnGDlM8XKg%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
< set-cookie: _octo=GH1.1.124666793.1737152697; Path=/; Domain=github.com; Expires=Sat, 17 Jan 2026 22:24:57 GMT; Secure; SameSite=Lax
< set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sat, 17 Jan 2026 22:24:57 GMT; HttpOnly; Secure; SameSite=Lax
< content-length: 255316
< x-github-request-id: 6326:24202B:753BD4:77A66A:678AD8B9
< 
* Connection #0 to host 172.18.0.2 left intact
FreshRSS[3016]: FreshRSS SimplePie GET 200 https://github.com/FreshRSS/FreshRSS/releases.atom
PHP Notice: A feed could not be found at `https://github.com/FreshRSS/FreshRSS/releases.atom`; the status code is `200` and content-type is `` in /var/www/FreshRSS/lib/simplepie/simplepie/src/SimplePie.php on line 2172
FreshRSS[3016]: [admin] [Fri, 17 Jan 2025 23:24:59 +0100] [warning] --- A feed could not be found at `https://github.com/FreshRSS/FreshRSS/releases.atom`; the status code is `200` and content-type is `` [https://github.com/FreshRSS/FreshRSS/releases.atom]
FreshRSS[3016]: [admin] [Fri, 17 Jan 2025 23:24:59 +0100] [notice] --- FreshRSS actualization done for 1 users, using 6.00 MiB of memory, in 0 day(s), 0 hour(s), 0 minute(s) and 3 seconds.
Results: 
admin OK
End.

So I'm pretty confident it's going through the proxy, and looking at the returned text when running `curl https://github.com/FreshRSS/FreshRSS/releases.atom --proxy 172.18.0.2:8888`, that all looks fine to me too.

[Alkarex]

I have not not a full debugging, but I have fixed a few related things in
#7231
Tests welcome

[ShaddyDC]

I don't see anything in that PR that has changed since the last test above, is there? I'm still getting the same result with latest edge image now.

ie changing image to image: freshrss/freshrss:edge, removing branch-specific build steps, running docker compose pull, and redoing the steps above.
Or are you looking for any specific other testing?

[Alkarex]

Thanks for trying. I was not sure #7231 would change anything. It was mostly some fixes and improvements I did while looking at what your problem could be.

It looks like there could be something wrong with the parsed content-type of the response.
Could you try with https://github.com/FreshRSS/FreshRSS/releases.atom#force_feed ?

I do not have a proxy setup to test. Could you suggest a minimum gluetun config I could try on my side?

[ShaddyDC]

Thanks for getting back to me so quickly!
The compose file above is pretty much intended as a standalone and shouldn't require any extra setup / config beyond a vpn account / private key. I don't know which vpn providers offer free accounts for testing that support wireguard or ovpn, but if you reach out to me on discord as shaddy (or if there's another way you prefer to communicate?), I'm happy to give you a wireguard private key for testing or a 1 month protonvpn sub, whichever you prefer.
I'll try the #force_feed later today when I'm home but I have a strong suspicion that it will work.

[ShaddyDC]

Huh, colour me surprised!

https://github.com/FreshRSS/FreshRSS/releases.atom is invalid XML, likely due to invalid characters. XML error: Not well-formed (invalid token) at line 1, column 1 [https://github.com/FreshRSS/FreshRSS/releases.atom#force_feed] 

The feed looks fine when opened locally with the same url, so I guess the proxy really is breaking something! I had also assumed that it was just the content type parsing. That's probably going to be fun to debug 👀

Let me know if I can do anything else to help with the reproduction setup!