From 2b13ee7163f125077a075d152f0030158240bd77 Mon Sep 17 00:00:00 2001 From: Andreas Dueren Date: Thu, 30 Oct 2025 10:49:54 -0600 Subject: [PATCH] Fix CORS handling and real IP logging --- CHANGELOG.md | 16 +++- start.sh | 240 +++++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 228 insertions(+), 28 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 82f3a21..007b1c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,19 @@ # Changelog +## 0.4.5 (2025-10-30) + +* Serve photos UI on the primary hostname and mount other apps on `accounts/auth/cast/albums/family.` +* Enable multiDomain in the manifest so aliases can be set in Cloudron UI +* Simplified documentation for S3 setup and alias domains +* Fix CORS responses for auth subdomains and forward real client IPs from Cloudron proxy + +## 0.4.4 (2025-10-30) + +* Restore Cloudflare R2 path-style URLs and simplify to a single hot-storage data center +* Serve the frontend apps on dedicated subdomains (photos/accounts/auth/cast/albums/family) +* Startup script now regenerates Caddy and Museum configs for the new host layout +* Added post-install checklist entries and updated docs for required DNS records + ## 0.4.3 (2025-10-29) * Always regenerate Museum configuration on startup to pick up S3 credential changes @@ -23,4 +37,4 @@ * Integrates with PostgreSQL database * Integrates with S3-compatible object storage * Integrates with Cloudron mail system -* Provides web UI for photos and authentication \ No newline at end of file +* Provides web UI for photos and authentication diff --git a/start.sh b/start.sh index 053f2ce..56b2a76 100755 --- a/start.sh +++ b/start.sh @@ -50,14 +50,61 @@ fi touch "$STARTUP_FLAG" trap 'rm -f "$STARTUP_FLAG"' EXIT -BASE_URL="${CLOUDRON_APP_ORIGIN:-https://$CLOUDRON_APP_FQDN}" +APP_FQDN="${CLOUDRON_APP_DOMAIN:-${CLOUDRON_APP_FQDN:-localhost}}" +BASE_URL="${CLOUDRON_APP_ORIGIN:-https://$APP_FQDN}" BASE_URL="${BASE_URL%/}" -RP_ID="${CLOUDRON_APP_FQDN:-${CLOUDRON_APP_DOMAIN:-localhost}}" -API_ORIGIN="${BASE_URL}/api" + +ROOT_DOMAIN="$APP_FQDN" +if [ "$APP_FQDN" != "localhost" ] && expr "$APP_FQDN" : '.*\..*' >/dev/null; then + ROOT_DOMAIN="${APP_FQDN#*.}" +fi + +PHOTOS_HOST="$APP_FQDN" +ACCOUNTS_HOST="$APP_FQDN" +AUTH_HOST="$APP_FQDN" +CAST_HOST="$APP_FQDN" +ALBUMS_HOST="$APP_FQDN" +FAMILY_HOST="$APP_FQDN" + +USE_SUBDOMAIN_ROUTING=false +if [ "$APP_FQDN" != "localhost" ] && [ "$ROOT_DOMAIN" != "$APP_FQDN" ]; then + ACCOUNTS_HOST="accounts.${ROOT_DOMAIN}" + AUTH_HOST="auth.${ROOT_DOMAIN}" + CAST_HOST="cast.${ROOT_DOMAIN}" + ALBUMS_HOST="albums.${ROOT_DOMAIN}" + FAMILY_HOST="family.${ROOT_DOMAIN}" + USE_SUBDOMAIN_ROUTING=true +fi + +PHOTOS_URL="https://${PHOTOS_HOST}" +if [ "$USE_SUBDOMAIN_ROUTING" = true ]; then + ACCOUNTS_URL="https://${ACCOUNTS_HOST}" + AUTH_URL="https://${AUTH_HOST}" + CAST_URL="https://${CAST_HOST}" + FAMILY_URL="https://${FAMILY_HOST}" + ALBUMS_URL="https://${ALBUMS_HOST}" +else + ACCOUNTS_URL="${BASE_URL}/accounts" + AUTH_URL="${BASE_URL}/auth" + CAST_URL="${BASE_URL}/cast" + FAMILY_URL="${BASE_URL}/family" + ALBUMS_URL="${BASE_URL}/albums" +fi + +if [ "$APP_FQDN" != "localhost" ]; then + API_BASE="https://${APP_FQDN}" +else + API_BASE="$BASE_URL" +fi +API_ORIGIN="${API_BASE}/api" +RP_ID="$PHOTOS_HOST" log INFO "Application base URL: $BASE_URL" log INFO "Relying party ID: $RP_ID" log INFO "API origin: $API_ORIGIN" +if [ "$USE_SUBDOMAIN_ROUTING" = true ]; then + log INFO "Serving frontend hosts: photos=${PHOTOS_HOST}, accounts=${ACCOUNTS_HOST}, auth=${AUTH_HOST}, cast=${CAST_HOST}" +fi S3_CONFIG_FILE="$CONFIG_DIR/s3.env" if [ ! -f "$S3_CONFIG_FILE" ]; then @@ -299,13 +346,13 @@ http: use-tls: false apps: - public-albums: "$BASE_URL/albums" - public-locker: "$BASE_URL/photos" - accounts: "$BASE_URL/accounts" - cast: "$BASE_URL/cast" - family: "$BASE_URL/family" + public-albums: "$ALBUMS_URL" + public-locker: "$PHOTOS_URL" + accounts: "$ACCOUNTS_URL" + cast: "$CAST_URL" + family: "$FAMILY_URL" custom-domain: - cname: "${CLOUDRON_APP_DOMAIN:-localhost}" + cname: "${APP_FQDN}" db: host: ${CLOUDRON_POSTGRESQL_HOST} @@ -356,7 +403,7 @@ internal: webauthn: rpid: "$RP_ID" rporigins: - - "$BASE_URL" + - "$PHOTOS_URL" key: encryption: $MASTER_KEY @@ -377,7 +424,7 @@ oidc: issuer: "${CLOUDRON_OIDC_IDENTIFIER}" client_id: "${CLOUDRON_OIDC_CLIENT_ID}" client_secret: "${CLOUDRON_OIDC_CLIENT_SECRET}" - redirect_url: "$BASE_URL/api/v1/session/callback" + redirect_url: "$API_BASE/api/v1/session/callback" EOF_CFG fi @@ -453,14 +500,14 @@ if [ -d "$WEB_RUNTIME_DIR" ]; then FRONTEND_REPLACEMENTS=( "ENTE_API_ORIGIN_PLACEHOLDER|$API_ORIGIN" "https://api.ente.io|$API_ORIGIN" - "https://accounts.ente.io|$BASE_URL/accounts" - "https://auth.ente.io|$BASE_URL/auth" - "https://cast.ente.io|$BASE_URL/cast" - "https://photos.ente.io|$BASE_URL/photos" - "https://web.ente.io|$BASE_URL/photos" - "https://albums.ente.io|$BASE_URL/albums" - "https://family.ente.io|$BASE_URL/family" - "https://ente.io|$BASE_URL" + "https://accounts.ente.io|$ACCOUNTS_URL" + "https://auth.ente.io|$AUTH_URL" + "https://cast.ente.io|$CAST_URL" + "https://photos.ente.io|$PHOTOS_URL" + "https://web.ente.io|$PHOTOS_URL" + "https://albums.ente.io|$ALBUMS_URL" + "https://family.ente.io|$FAMILY_URL" + "https://ente.io|$PHOTOS_URL" ) OLD_IFS="$IFS" for entry in "${FRONTEND_REPLACEMENTS[@]}"; do @@ -483,10 +530,14 @@ chown -R cloudron:cloudron "$DATA_DIR/home" chmod 700 "$DATA_DIR/home" log INFO "Rendering Caddy configuration" +if [ "$USE_SUBDOMAIN_ROUTING" = true ]; then cat > "$CADDY_CONFIG" < "$CADDY_CONFIG" < "$CADDY_CONFIG" < "$CADDY_CONFIG" < "$CADDY_CONFIG" <