Freshrss With Tailscale Auth
FreshRSS has been my RSS feed aggregator of choice for a couple of years now. I still frequently long for the optimistic heady days when we all loved Google Reader. I used Feedbin for many years and highly recommend it if self-hosting your feed aggregator isn’t for you. Lovely service for sure.
Background
Ever since I set up FreshRSS I’ve been grumbling about how I want SSO. I use Authentik for most of my SSO needs, but these days even that feels overkill. You can use Authentik with FreshRSS but only if you use the FreshRSS Docker container (which has Apache inside of it to do the authentication). This feels extra-heavy for me when FreshRSS is “just” a PHP app.
I run FreshRSS on a NixOS server using the services.freshrss options which are lovely and easy, but I’ve always stuck with the “form” login as I coudn’t figure out how to get Authentik or something else to work.
Tailscale Services
The past couple of weeks I’ve been diving deep into Tailscale Services which I like because:
- it’s simple
- works on my tailnet
- inclues basic HTTP Auth Headers
- auto-provisions my HTTPS certs
- gets rid of the need for NGINX reverse proxying
Note: I really do NOT like that you cannot hairpin – hosts can’t connect to
their own hosted services. Also using a unix socket breaks the get-config
command. These warts aside, I tried to use Tailscale Services
for FreshRSS which was another deep rabbit hole that didn’t really work for
various reasons:
- PHP kinda needs some sort of web server in front of it (I think), so NGINX still needed
- Tailscale Services using the Proxy Protocol broke my Tailscale config (I couldn’t turn it off without resetting the entire config)
- FreshRSS only supports
Remote-UserandX-Webauth-Userheaders, this is not configurable - Tailscale Services do not support changing the
Remote-Userheader
Compromise
I eventually gave up on the Tailscale Service approach and went back to my NGINX configuration. I used to use Tailscale’s NGINX Service to handle authentication to my Grafana instance (now just Tailscale Services) but I thought maybe it could work here.
After another few rounds of debugging, face-to-desk pounding, and frustrating I
finally got it working. At first FreshRSS was complaining that X-WebAuth-User
was blank (it was) but the Tailscale Authentication was definitely working. Upon
further inspection of the example configuration from Tailscale it dawned upon me
that it’s set up for Reverse Proxies using proxy_set_header, but that’s not
really what we’re doing here. NGINX is the end of the web-line, calling out to
PHP so those headers were just abandoned.
I remembered reading the following line in the FreshRSS docs and that’s when I
realized I needed to set a fastcgi_param instead of a header.
You can also use any authentication backend as long as your web server exposes the authenticated user through the REMOTE_USER variable.
Setting REMOTE_USER with the result from the NGINX Tailscale Auth service
yielded immediate login!
But everything was broken
As is often the case, getting one thing working broke another! This time it was
because of a username mismatch. My old username tebriel isn’t the same as my
Tailscale User value (what I log in to Tailscale with). To fix this I made sure
my latest database and file backups were good and then manually modified some
things:
- I renamed /var/lib/freshrss/users/tebriel to my tailscale login name.
- I renamed each table in the database moving replacing
tebrielwith my tailscale login name.
At some point during debugging I had rolled back and created a new user named my tailscale login name so maybe that also had a hand in getting it to work.
After this loading my FreshRSS instance immediately logs me in and all my data is there!
Long trial to save 3s of letting my password manager fill in my username and password but it’s a nice bit of flow for me and I learned a lot!
You can view my FreshRSS Nix Config to get exact details on how I set this up. Best of luck!