Libretime: Set CORS URLs in web installer

Created on 13 Nov 2019  路  14Comments  路  Source: LibreTime/libretime

The CORS Urls setting is required when running LT behind a proxy (Containerisation is a common use case). The only documentation currently is here, but it only contains one line:

The Allowed CORS URLs is intended to deal with situations where you want a remote site with a different domain to access the API.

This should be elaborated on and highlight proxy use-cases. Maybe a "Common Setups" section in the Getting Started section, or Tutorials.

3.0-release-blocker bug installer

All 14 comments

Hi @paddatrapper!
I agree, I had the same problem when installing LT behind haproxy.
If you have a bit of time why no try to submit a PR for the documentation? I will be happy to help you to review this PR.

Hello.
I think this is important, as it makes LibreTime unusable on most browsers, unless you can find this issues on GitHub and apply the configuration.
This from https://github.com/LibreTime/libretime/issues/822#issuecomment-546609291 worked for me (replacing domain and subdomain with the real ones, of course)

https://sub.domain.org
http:/sub.domain.org
http://sub
http://localhost
https://sub
https://localhost

But i'm not really sure why, and what is the relation with the proxy.
In my case LibreTime is installed in a Docker container, behind an Nginx reverse proxy.

May be you can explain why this is necessary so we can document it?
Thanks

Also, it's not clear to me if this can be configured in airtime.conf (or any other config file) rather than in the user interface

So preferences are accessed from the Database in airtime_mvc/application/models/Preferences.php. The CORS settings are stored there. The config file values are read/manipulated from airtime_mvc/application/configs/conf.php. There seems to be no relation between the two, so it would seem that it cannot be configured from anywhere outside of the UI

But i'm not really sure why, and what is the relation with the proxy.

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. More information is here - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Please review #938 and let me know if that is clearer

Hi @paddatrapper !

938 looks good to me but I believe that there is a workaround that may have it's place in the documentation.

On a remote installation (behind a reverse proxy), there is no way to login for the first time (unless you do some ssh tunneling and login on http://localhost). So in those cases, it is still possible to disable momentarily CORS checks by commenting the following line:

//Don't allow CORS from other domains to prevent XSS.
throw new Zend_Controller_Action_Exception('Forbidden', 403);

in the file CORSHelper.php.

Then we should definitely add the CORS to the config file instead of in the DB... Let me see what I can do

Maybe it would make sense to add a page to the web-based installer so that people can add their CORS URLs database before they get to the login. Is this something we are going to automatically detect or is it something that they will need to enter. I can see the utility of having this edited via the web interface after LibreTime is installed but we definitely need to handle the situation where they are just installing it and need to enter the information.

This could be detected, depending on what headers are passed through the proxy, but may be more reliable to ask the user to enter them.

Agree @paddatrapper, it seems to me that there are too much reverse proxy scenario and tools to try to detect it. Also users who are in this case are clearly aware of it and know how to setup their CORS URL.

Maybe showing a form if a question like "Are you installing LibreTime behind a reverse proxy" is ticked is the way to go (to not scare other users about complicated setup configurations)...

Maybe showing a form if a question like "Are you installing LibreTime behind a reverse proxy" is ticked is the way to go (to not scare other users about complicated setup configurations)...

Good idea. I think this is definitely the way to go

Ran into this again today. Preventing log-in the first time makes LibreTime completely unusable behind a proxy at the moment without the workaround

Ok yeah let's make this a priority again. I can hopefully work on it but not sure how much coding time I'll be able to do.

Was this page helpful?
0 / 5 - 0 ratings