finn/forgejo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add reverseproxy auth for API back with default disabled (#26703)

Browse source 
This feature was removed by #22219 to avoid possible CSRF attack.

This PR takes reverseproxy auth for API back but with default disabled.

To prevent possbile CSRF attack, the responsibility will be the
reverseproxy but not Gitea itself.

For those want to enable this `ENABLE_REVERSE_PROXY_AUTHENTICATION_API`,
they should know what they are doing.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
This commit is contained in:
Lunny Xiao 2023-09-07 16:31:46 +08:00 committed by GitHub
parent 1221221595
commit e97e883ad5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 14 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
custom/conf/app.example.ini
View file

@ -759,6 +759,8 @@ LEVEL = Info
;;
;; More detail: https://github.com/gogits/gogs/issues/165
;ENABLE_REVERSE_PROXY_AUTHENTICATION = false
; Enable this to allow reverse proxy authentication for API requests, the reverse proxy is responsible for ensuring that no CSRF is possible.
;ENABLE_REVERSE_PROXY_AUTHENTICATION_API = false
;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
;ENABLE_REVERSE_PROXY_EMAIL = false
;ENABLE_REVERSE_PROXY_FULL_NAME = false