FreshRSS/FreshRSS

[Bug] reverse proxy quic/http3 oidc fails

Open

#8690 opened on Apr 10, 2026

View on GitHub
 (3 comments) (1 reaction) (0 assignees)PHP (15,022 stars) (1,171 forks)batch import
Bug (unconfirmed)help wanted

Description

Describe the bug

I just switched on http3/quic on my nginx reverse proxy. This failed on my former working oauth setup to FreshRSS with httpd/quic supporting browsers. Login worked via tor, via a corporate proxy which does not offer quic and browsers which do not support quic. (oauth backend: forgejo)

To Reproduce

  1. Have a working oauth setup
  2. Reverse Proxy: enable HTTP/3 - Quic
  3. Try to open FreshRSS

Expected behavior

Expected:

  • (login via the oauth host - in my case forgejo)
  • Redirect into FreshRSS

Actual behaviour:

  • (login via the oauth host - in my case forgejo)
  • Redirect fails. There are different error messages depending on browser. But there are messages like "Redirect Failure", "unexpected oidc host", freshrss.local as target in the redirect url (!) though it is nowhere set...

FreshRSS version

1.28.1

System information

  • Database version: SQLite
  • PHP version: original Container version
  • Installation type: official Container via docker-compose
  • Web server type: Reverse: nginx
  • Device: Asahi Laptop, Windows Laptop (Corporate - Works!), Android Device
  • OS: Debian Testing (asahi), Windows 11, GrapheneOS
  • Browser: Firefox 149 (fails), Firefox-ESR (Corporate behind zScaler proxy- Works!), Epiphany 49.2 (Works, probably no Quic-Support in Browser), Fennec 149.0.1 (fails).

Additional context

I could fix it via a proxy_http_version 1.1; directive, so the settings are now:

           location / {
               proxy_http_version 1.1; # <---- the needed option
               proxy_set_header Host $http_host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $remote_addr;
               proxy_set_header X-Forwarded-Proto $scheme;
               proxy_set_header X-Forwarded-Host $http_host;
               proxy_pass http://localhost:8080/;
               add_header Alt-Svc 'h3=":443"; ma=86400';
           break;
           }

So it probably needed to be mentioned in the documentation.

Contributor guide

Tech stack
None
Domain
authenticationauthorization
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
under 1 hour
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
basic nginx reverse proxyOIDC authentication
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
75
Research direction
Review the FreshRSS documentation for reverse proxy setup, particularly any nginx configuration examples for OIDC. The bug report indicates that enabling HTTP/3/QUIC causes OIDC redirect failures, which is resolved by adding 'proxy http version 1.1;' in the nginx location block. Investigate whether the documentation currently lacks this directive and propose an update to include it. No existing PRs or maintainer comments were found; this issue is a straightforward documentation fix.