Don’t know if this a bug and should be in the support section but I’ve possibly configured something wrong as I couldn’t really find any documentation on configuring the auth header for use in the auth_remote plugin. Other than this warning on login it was fairly simple to setup.
-
[x]
I’m using docker compose setup, with modifications (modified.yml
files, third party plugins/themes, etc.) - if so, describe your modifications in your post. Before reporting, see if your issue can be reproduced on the unmodified setup.
I am using the SSO provider Authentik to set the remote-user in an nginx proxy for the auth_remote plugin
Other plugins used are feediron and a some custom css modifications. Disabling these dosn’t change anything.
On login for any user I recieve a Undefined array key "last_login_update"
warning in the event log
E_WARNING (2)
classes/feeds.php:520
Undefined array key "last_login_update"
1. classes/feeds.php(520): ttrss_error_handler(Undefined array key "last_login_update", classes/feeds.php)
2. backend.php(136): view()
Real IP: xxx.xxx.xxx.xxx
Forwarded For: xxx.xxx.xxx.xxx
Forwarded Protocol: https
Remote IP: 172.90.126.1
Request URI: /tt-rss/backend.php
User agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
- Tiny Tiny RSS version (including git commit id): v22.03-385da287d
- Platform (i.e. Linux distro, Docker, PHP, PostgreSQL, etc) versions: docker-compose
TT-RSS .env
TTRSS_DB_USER=postgres
TTRSS_DB_NAME=postgres
TTRSS_DB_PASS=[xxx]
TTRSS_SELF_URL_PATH=https://example.tld/tt-rss
TTRSS_PLUGINS=auth_remote, auth_internal, note
AUTH_AUTO_CREATE=true
TTRSS_AUTH_REMOTE_POST_LOGOUT_URL=https://example.tld/outpost.goauthentik.io/sign_out
TTRSS_ENABLE_GZIP_OUTPUT=true
TTRSS_SMTP_FROM_NAME=Tiny Tiny RSS
[email protected]
TTRSS_SMTP_SERVER=mail.example.tld
TTRSS_SMTP_LOGIN=ttrss
TTRSS_SMTP_PASSWORD=[xxx]
TTRSS_SMTP_SECURE=tls
TTRSS_SMTP_SKIP_CERT_CHECKS=false
HTTP_PORT=127.0.0.1:8280
Nginx proxy config
upstream ttrss_app {
server 127.0.0.1:8280;
keepalive 32;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.tld;
ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# intermediate configuration
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
# replace with the IP address of your resolver
resolver 10.1.1.1;
# Block all bots
if ($http_user_agent ~ ".*bot.*") {
return 403;
}
[...]
location ^~ /tt-rss/ {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Remote-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_cache off;
proxy_buffering off;
proxy_pass_request_body on;
proxy_request_buffering off;
proxy_connect_timeout 7d;
proxy_read_timeout 7d;
proxy_send_timeout 7d;
proxy_pass http://ttrss_app/tt-rss/;
# authentik-specific config
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
proxy_set_header remote-user $authentik_username;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass https://127.0.0.1:9443/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
}
}