Rework trusted proxies (#5549)

* Rework trusted proxies
Fix https://github.com/FreshRSS/FreshRSS/issues/5502
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226

New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy

New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip.

Current working setups should not observe any significant change.

* Minor whitespace

* Safer trusted sources during install
Rework of https://github.com/FreshRSS/FreshRSS/pull/5358
https://github.com/FreshRSS/FreshRSS/issues/5357

* Minor readme

1 files changed, 6 insertions, 3 deletions

diff --git a/config.default.php b/config.default.php
index b5e3a6318..f7c4e1315 100644
--- a/config.default.php
+++ b/config.default.php
@@ -194,9 +194,12 @@ return array(
 	# Disable self-update,
 	'disable_update' => false,
 
-	# Trusted IPs that are allowed to send unsafe headers
-	# Please read the documentation, before configuring this
-	# https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html
+	# Trusted IPs (e.g. of last proxy) that are allowed to send unsafe HTTP headers.
+	# The connection IP used during FreshRSS setup is automatically added to this list.
+	# Will be checked against CONN_REMOTE_ADDR (if available, to be robust even when using Apache mod_remoteip)
+	# or REMOTE_ADDR environment variable.
+	# This array can be overridden by the TRUSTED_PROXY environment variable.
+	# Read the documentation before configuring this https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html
 	'trusted_sources' => [
 		'127.0.0.0/8',
 		'::1/128',