starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-11 03:13:15 +03:00
Code Issues 784 Packages Projects Releases 10 Wiki Activity

How disable cors error to access /api from another domain? #3842

New Issue
Closed
opened 2026-02-05 07:38:46 +03:00 by OVERLORD · 4 comments
OVERLORD commented 2026-02-05 07:38:46 +03:00
Owner
Copy Link

Originally created by @sirlordt on GitHub (Jun 7, 2023).

Attempted Debugging

  • I have read the debugging page

Searched GitHub Issues

  • I have searched GitHub for the issue.

Describe the Scenario

Hello i trying to access to /api from another domain using javascript in a browser but always get cors errors.

How disable the cors?. I know this proyect is writed in php with laravel but connot found a doc it work.

I tried with headers directive in index.php.
I tried change the app.php added allows_origins: "*",

But nothing works.

Thanks in advance.

Exact BookStack Version

Lastest from docker hub

Log Content

No response

PHP Version

8.0

Hosting Environment

Docker container from docker hub

Originally created by @sirlordt on GitHub (Jun 7, 2023). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario Hello i trying to access to /api from another domain using javascript in a browser but always get cors errors. How disable the cors?. I know this proyect is writed in php with laravel but connot found a doc it work. I tried with headers directive in index.php. I tried change the app.php added allows_origins: "*", But nothing works. Thanks in advance. ### Exact BookStack Version Lastest from docker hub ### Log Content _No response_ ### PHP Version 8.0 ### Hosting Environment Docker container from docker hub
OVERLORD added the 🐕 Support label 2026-02-05 07:38:46 +03:00
OVERLORD commented 2026-02-05 07:38:56 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Jun 7, 2023):

I tried with headers directive in index.php.
I tried change the app.php added allows_origins: "*",

Please avoid altering core app files, especially in the docker environment as changes will be easily lost.

I'd recommend altering/setting CORS headers at your webserver level.
You could maybe do this within the container web-server, or if you're using a proxy layer then that might be more appropriate.

  • Are you using a reverse proxy with your containers? If so, what are you using?
  • What container image are you using and how are you running/managing your containers?
@ssddanbrown commented on GitHub (Jun 7, 2023): > I tried with headers directive in index.php. > I tried change the app.php added allows_origins: "*", Please avoid altering core app files, especially in the docker environment as changes will be easily lost. I'd recommend altering/setting CORS headers at your webserver level. You could maybe do this within the container web-server, or if you're using a proxy layer then that might be more appropriate. - Are you using a reverse proxy with your containers? If so, what are you using? - What container image are you using and how are you running/managing your containers?
OVERLORD commented 2026-02-05 07:39:01 +03:00
Author
Owner
Copy Link

@sirlordt commented on GitHub (Jun 7, 2023):

I use a reverse proxy haproxy (I can switch to nginx).
I am using a docker image: lscr.io/linuxserver/bookstack. (I can access it inside the container).

partial docker-compose.yaml file content:

wiki.web.server.01:
    image: lscr.io/linuxserver/bookstack
    container_name: wiki.web.server.01
    depends_on:
      - wiki.mysql.server.01
    environment:
      - PUID=1000
      - PGID=1000
      - APP_URL=https://mydomain.com/docs/wiki
      - DB_HOST=wiki.mysql.server.01
      - DB_PORT=3306
      - DB_USER=root
      - DB_PASS=super_secret
      - DB_DATABASE=WikiDB
      - TZ=America/Los_Angeles
@sirlordt commented on GitHub (Jun 7, 2023): I use a reverse proxy haproxy (I can switch to nginx). I am using a docker image: lscr.io/linuxserver/bookstack. (I can access it inside the container). partial docker-compose.yaml file content: ```yml wiki.web.server.01: image: lscr.io/linuxserver/bookstack container_name: wiki.web.server.01 depends_on: - wiki.mysql.server.01 environment: - PUID=1000 - PGID=1000 - APP_URL=https://mydomain.com/docs/wiki - DB_HOST=wiki.mysql.server.01 - DB_PORT=3306 - DB_USER=root - DB_PASS=super_secret - DB_DATABASE=WikiDB - TZ=America/Los_Angeles ```
OVERLORD commented 2026-02-05 07:39:07 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Jun 8, 2023):

Okay, so the linuxserver exposes its nginx config via a /config/nginx/site-confs/default.conf file. You should have the /config path mounted to the host system.
Within this default.conf file you could add add_header "Access-Control-Allow-Origin" *; within the server { block.

Note, this is a workaround for a security control, so opening up access like this does have security considerations.
If required, you could probably find some config to only set that header when the request is originating from a specific (trusted) domain.

@ssddanbrown commented on GitHub (Jun 8, 2023): Okay, so the linuxserver exposes its nginx config via a `/config/nginx/site-confs/default.conf` file. You should have the `/config` path mounted to the host system. Within this `default.conf` file you could add `add_header "Access-Control-Allow-Origin" *;` within the `server {` block. Note, this is a workaround for a security control, so opening up access like this does have security considerations. If required, you could probably find some config to only set that header when the request is originating from a specific (trusted) domain.
OVERLORD commented 2026-02-05 07:39:11 +03:00
Author
Owner
Copy Link

@sirlordt commented on GitHub (Jun 11, 2023):

Okay, so the linuxserver exposes its nginx config via a /config/nginx/site-confs/default.conf file. You should have the /config path mounted to the host system. Within this default.conf file you could add add_header "Access-Control-Allow-Origin" *; within the server { block.

Note, this is a workaround for a security control, so opening up access like this does have security considerations. If required, you could probably find some config to only set that header when the request is originating from a specific (trusted) domain.

Ok thanks. Is working now.

@sirlordt commented on GitHub (Jun 11, 2023): > Okay, so the linuxserver exposes its nginx config via a `/config/nginx/site-confs/default.conf` file. You should have the `/config` path mounted to the host system. Within this `default.conf` file you could add `add_header "Access-Control-Allow-Origin" *;` within the `server {` block. > > Note, this is a workaround for a security control, so opening up access like this does have security considerations. If required, you could probably find some config to only set that header when the request is originating from a specific (trusted) domain. Ok thanks. Is working now.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label 🐕 Support
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#3842
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?