From a2cbda03eaf3ada8168eedad57b87afac504d509 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Thu, 24 Aug 2023 14:02:19 +0800 Subject: [PATCH 1/3] Add reverseproxy auth for API back with default disabled --- .../content/administration/config-cheat-sheet.en-us.md | 3 ++- modules/setting/service.go | 2 ++ routers/api/v1/api.go | 10 ++++++++-- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/content/administration/config-cheat-sheet.en-us.md b/docs/content/administration/config-cheat-sheet.en-us.md index 968b47c2302e8..45d3187b3171d 100644 --- a/docs/content/administration/config-cheat-sheet.en-us.md +++ b/docs/content/administration/config-cheat-sheet.en-us.md @@ -621,7 +621,8 @@ And the following unique queues: BASIC and the user's password. Please note if you disable this you will not be able to access the tokens API endpoints using a password. Further, this only disables BASIC authentication using the password - not tokens or OAuth Basic. -- `ENABLE_REVERSE_PROXY_AUTHENTICATION`: **false**: Enable this to allow reverse proxy authentication. +- `ENABLE_REVERSE_PROXY_AUTHENTICATION`: **false**: Enable this to allow reverse proxy authentication for web requests +- `ENABLE_REVERSE_PROXY_AUTHENTICATION_API`: **false**: Enable this to allow reverse proxy authentication for API requests - `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION`: **false**: Enable this to allow auto-registration for reverse authentication. - `ENABLE_REVERSE_PROXY_EMAIL`: **false**: Enable this to allow to auto-registration with a diff --git a/modules/setting/service.go b/modules/setting/service.go index 595ea6528f886..a80bf16292978 100644 --- a/modules/setting/service.go +++ b/modules/setting/service.go @@ -46,6 +46,7 @@ var Service = struct { EnableNotifyMail bool EnableBasicAuth bool EnableReverseProxyAuth bool + EnableReverseProxyAuthAPI bool EnableReverseProxyAutoRegister bool EnableReverseProxyEmail bool EnableReverseProxyFullName bool @@ -157,6 +158,7 @@ func loadServiceFrom(rootCfg ConfigProvider) { Service.RequireSignInView = sec.Key("REQUIRE_SIGNIN_VIEW").MustBool() Service.EnableBasicAuth = sec.Key("ENABLE_BASIC_AUTHENTICATION").MustBool(true) Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool() + Service.EnableReverseProxyAuthAPI = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION_API").MustBool() Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool() Service.EnableReverseProxyEmail = sec.Key("ENABLE_REVERSE_PROXY_EMAIL").MustBool() Service.EnableReverseProxyFullName = sec.Key("ENABLE_REVERSE_PROXY_FULL_NAME").MustBool() diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 2d644507d5f71..6fa7ed9cd8d22 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -333,8 +333,11 @@ func reqExploreSignIn() func(ctx *context.APIContext) { } } -func reqBasicAuth() func(ctx *context.APIContext) { +func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) { return func(ctx *context.APIContext) { + if ctx.IsSigned && setting.Service.EnableReverseProxyAuthAPI && ctx.Data["AuthedMethod"].(string) == auth.ReverseProxyMethodName { + return + } if !ctx.IsBasicAuth { ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "auth required") return @@ -698,6 +701,9 @@ func buildAuthGroup() *auth.Group { &auth.HTTPSign{}, &auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API ) + if setting.Service.EnableReverseProxyAuthAPI { + group.Add(&auth.ReverseProxy{}) + } specialAdd(group) return group @@ -800,7 +806,7 @@ func Routes() *web.Route { m.Combo("").Get(user.ListAccessTokens). Post(bind(api.CreateAccessTokenOption{}), reqToken(), user.CreateAccessToken) m.Combo("/{id}").Delete(reqToken(), user.DeleteAccessToken) - }, reqBasicAuth()) + }, reqBasicOrRevProxyAuth()) m.Get("/activities/feeds", user.ListUserActivityFeeds) }, context_service.UserAssignmentAPI()) From 6d591d2e6271610d44b608868750b62ecb13ed15 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Thu, 24 Aug 2023 18:35:43 +0800 Subject: [PATCH 2/3] Update app.example.ini --- custom/conf/app.example.ini | 2 ++ 1 file changed, 2 insertions(+) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index a3d24b1961fa7..f2b0390175fbd 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -759,6 +759,8 @@ LEVEL = Info ;; ;; More detail: https://github.com/gogits/gogs/issues/165 ;ENABLE_REVERSE_PROXY_AUTHENTICATION = false +; Enable this to allow reverse proxy authentication for API requests +;ENABLE_REVERSE_PROXY_AUTHENTICATION_API = false ;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false ;ENABLE_REVERSE_PROXY_EMAIL = false ;ENABLE_REVERSE_PROXY_FULL_NAME = false From fdafdf9bdb46bf86a61d8c2e2916b206f1096b94 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Mon, 4 Sep 2023 18:21:40 +0800 Subject: [PATCH 3/3] Improve documentation --- custom/conf/app.example.ini | 2 +- docs/content/administration/config-cheat-sheet.en-us.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index f2b0390175fbd..ec18a3b52665d 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -759,7 +759,7 @@ LEVEL = Info ;; ;; More detail: https://github.com/gogits/gogs/issues/165 ;ENABLE_REVERSE_PROXY_AUTHENTICATION = false -; Enable this to allow reverse proxy authentication for API requests +; Enable this to allow reverse proxy authentication for API requests, the reverse proxy is responsible for ensuring that no CSRF is possible. ;ENABLE_REVERSE_PROXY_AUTHENTICATION_API = false ;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false ;ENABLE_REVERSE_PROXY_EMAIL = false diff --git a/docs/content/administration/config-cheat-sheet.en-us.md b/docs/content/administration/config-cheat-sheet.en-us.md index 45d3187b3171d..a7ec9fe866740 100644 --- a/docs/content/administration/config-cheat-sheet.en-us.md +++ b/docs/content/administration/config-cheat-sheet.en-us.md @@ -622,7 +622,7 @@ And the following unique queues: tokens API endpoints using a password. Further, this only disables BASIC authentication using the password - not tokens or OAuth Basic. - `ENABLE_REVERSE_PROXY_AUTHENTICATION`: **false**: Enable this to allow reverse proxy authentication for web requests -- `ENABLE_REVERSE_PROXY_AUTHENTICATION_API`: **false**: Enable this to allow reverse proxy authentication for API requests +- `ENABLE_REVERSE_PROXY_AUTHENTICATION_API`: **false**: Enable this to allow reverse proxy authentication for API requests, the reverse proxy is responsible for ensuring that no CSRF is possible. - `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION`: **false**: Enable this to allow auto-registration for reverse authentication. - `ENABLE_REVERSE_PROXY_EMAIL`: **false**: Enable this to allow to auto-registration with a