andreas/ente-cloudron
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Restrict museum routes to primary host

Browse Source
This commit is contained in:
Andreas Dueren
2025-11-20 12:36:02 -06:00
parent 6ff0b1756d
commit ef00dde487
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
start.sh
View File

@@ -1219,7 +1219,9 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
respond 204 respond 204
} }
handle_path /api/* { @api_host host ${PHOTOS_HOST}
handle @api_host {
handle_path /api/* {
@api_cors_path header Origin * @api_cors_path header Origin *
header @api_cors_path { header @api_cors_path {
Access-Control-Allow-Origin {http.request.header.Origin} Access-Control-Allow-Origin {http.request.header.Origin}
@@ -1236,6 +1238,7 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
header_up X-Forwarded-For {http.request.header.X-Forwarded-For} header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto} header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
} }
}
} }
handle /health { handle /health {
@@ -1272,6 +1275,7 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
} }
@museum_api_get_path { @museum_api_get_path {
host ${PHOTOS_HOST}
method GET HEAD method GET HEAD
path_regexp museum_api_get_path ^/(admin|authenticator|billing|cast|collections|custom-domain|diff|discount|email-hash|emails-from-hashes|emergency-contacts|family|file|file-link|files|fire|info|job|mail|metrics|multipart-upload-urls|offers|options|pass-info|passkeys|public-collection|push|queue|remote-store|storage-bonus|thumbnail|trash|unknown-api|upload-urls|user|user-entity|verify-password)(/|$) path_regexp museum_api_get_path ^/(admin|authenticator|billing|cast|collections|custom-domain|diff|discount|email-hash|emails-from-hashes|emergency-contacts|family|file|file-link|files|fire|info|job|mail|metrics|multipart-upload-urls|offers|options|pass-info|passkeys|public-collection|push|queue|remote-store|storage-bonus|thumbnail|trash|unknown-api|upload-urls|user|user-entity|verify-password)(/|$)
} }
@@ -1285,6 +1289,7 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
} }
@write_methods_path { @write_methods_path {
host ${PHOTOS_HOST}
not method GET not method GET
not method HEAD not method HEAD
} }