Forgejo's docker containers had `REVERSE_PROXY_TRUSTED_PROXIES = *` configured in them by default. In the event that the Forgejo sysadmin set the docker environment variable `FORGEJO__service__ENABLE_REVERSE_PROXY_AUTHENTICATION` to the value `true`, *and* an unauthorized user could access Forgejo without traversing a reverse proxy performing authentication, then an unauthorized user could use the `X-WebAuth-User` HTTP header to impersonate any user. While this is an unlikely set of configuration settings, it seems more prudent for the Forgejo to require a sysadmin to choose an appropriate value for `REVERSE_PROXY_TRUSTED_PROXIES`. Even in a containerized environment, this value can be used safely and set to reasonable values if firewall-level networking is in use (eg. using [Docker with iptables](https://docs.docker.com/engine/network/firewall-iptables/)), which is the common default for docker systems in 2026.
The intent of this PR is to change the default in Forgejo 16, and to mark it as a breaking change for highlighting in the release notes. The risk of misconfiguration is not high enough to backport this breaking change to earlier Forgejo releases.
If a sysadmin wants to use the previous configuration, they can set the environment variable `FORGEJO__service__REVERSE_PROXY_TRUSTED_PROXIES` to the value `*`, but it would be recommended that they revise the setting to a narrower set of trusted IPs that they expect reverse proxy connections from. See the [`[security]`](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#security-security) config block for more information.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12782
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
This was missed in https://codeberg.org/forgejo/forgejo/pulls/11098.
See https://github.com/go-gitea/gitea/pull/17846 for why this was added in the first place.
Note that this is not backwards compatible. For users with a custom `app.ini`-config this won't work. But it also didn't work with the previous config. This change only aligns it with the default app.ini-path.
Co-authored-by: Jakob Linskeseder <jakob@linskeseder.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11720
Reviewed-by: Beowulf <beowulf@beocode.eu>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: jaylinski <jaylinski@noreply.codeberg.org>
Co-committed-by: jaylinski <jaylinski@noreply.codeberg.org>
This legacy support was added in version 8. We now have version 14, so this deprecated feature can be confidently removed.
See dad16cd589 for a detailed explanation.
Docs PR: https://codeberg.org/forgejo/docs/pulls/1740
Co-authored-by: Jakob Linskeseder <jakob@linskeseder.com>
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11098
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: jaylinski <jaylinski@noreply.codeberg.org>
Co-committed-by: jaylinski <jaylinski@noreply.codeberg.org>
The current path of the `$GITEA_APP_INI` configuration file makes the
forgejo application reset every time the container is restarted, unless
a specific volume for this file is created. Consider the following:
* This quirk is not documented
* All configuration data resides in `/var/lib/gitea`
* The custom configuration path defaults to `/var/lib/gitea/custom/conf`
(see `forgejo -h`)
* Containers mounting the volume `-v /foo/bar:/var/lib/gitea` already
have this file available to modify. Another volume shouldn't be
required
* Containers using named volumes can use `docker cp` to modify the file
inside the volume, if desired
For these reasons, it makes more sense to use the default path for
`$GITEA_APP_INI` rather than require users to create a dedicated volume
for the file. Revert it back to its default while maintaining backwards
compatibility (users can update by simply moving the file to the new
path).
There was a mistake when choosing the structure for the repo avatars parent folder and it added a spurious /gitea.
The `data` directory should contain folders like:
- `attachments/`
- `avatars/`
- `log/`
- `repo-avatars/`
* Switch to non-deprecation setting
(Avoid by-default: "Deprecated fallback `[server]` `LFS_CONTENT_PATH` present. Use `[lfs]` `PATH` instead. This fallback will be removed in v1.18.0")
* Update all references
* Upgrade alpine to 3.15
* Add executability test to entrypoint for too old dockers
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update docker/rootless/usr/local/bin/docker-entrypoint.sh
Co-authored-by: zeripath <art27@cantab.net>
Too many docker users are caught out by the default location for the
app.ini file being environment dependent so that when they docker exec
into the container the gitea commands do not work properly and require
additional -c arguments to correctly pick up the configuration.
This PR simply shadows the gitea binary using variants of the FHS
compatible script to make the command gitea have the default locations
by default.
Fix#14468
Reference #17497
Reference #12082
Reference #8941
... amongst others ...
Replace #17501
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add reverse proxy configuration support for remote IP address validation
* Trust all IP addresses in containerized environments by default
* Use single option to specify networks and proxy IP addresses. By default trust all loopback IPs
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Add environment-to-app.ini routine
* Call environment-to-ini in docker setup scripts
* Automatically convert section vars to lower case to match documentation
* Remove git patch instructions
* Add env variable documentation to Install Docker
I think it's a bad default to have "dev" as the default run mode which
enables debugging and now also disables HTTP caching. It's better to
just default to a value suitable for general deployments.
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* docker: rootless image
* improve docs + remove check for write perm on custom
* add more info on ssh passtrough
* Add comment for internal ssh server in container config
