azorius.aria.company

Help fixing invalid origin with memos
from Thoven@lemdro.id to selfhosted@lemmy.world on 29 Mar 22:10
https://lemdro.id/post/20155167

Running joplin and memos in docker, routed through nginx. Since I don’t own a domain I’m just using my public ip with ports and port forwarding. Joplin was throwing the same invalid origin error, but worked after I set APP_BASE_URL: http://<IP>:<port>. I tried setting SITE_URL=http://<IP>:<port2> under environment, which I’ve read is supposed to fix this exact problem. Same error. The error displays the correct address including port number, so I know that’s being passed correctly. I’ve tried several different variations of the Host, Origin, and Referer header without success. Just for fun I tried directly exposing <port2> on the memos instance and it opened right up in the browser.

PS: Yes, I know I should be using https. I’m lazy. Setting up a cert is on the old todo list.

#selfhosted

threaded - newest

catloaf@lemm.ee on 29 Mar 23:09 next collapse

Stop exposing services like these to the Internet. If you need remote access, use a VPN.

You don’t need to own a domain either. Use a free dynamic DNS provider.

And if you don’t need remote access, don’t bother with that at all. Just run a local DNS server with records for these services with anything under the .internal TLD. Or even just IP address.

HTTPS can come later. It’s really not important for traffic that’s not sensitive, like no passwords or whatever.

Thoven@lemdro.id on 30 Mar 00:17 next collapse

Definitely need remote access, and tunneling in every time I want to sync my notes app is way too much work. I’ve containerized these services as a security layer and you need user creds to access anything without an exploit. I’m comfortable with that level of risk.

Dynamic DNS is a very cool thing I didn’t know exists. I’ll definitely look into it further! But for the time being I still need a fix for my problem.

silenium_dev@feddit.org on 30 Mar 09:44 collapse

There’s no reason not to expose those services to the Internet, they have authentication, and noone can access them without logging in first. There are actually reasons for exposing them, you can share a memo or a file to other people. You should enable HTTPS though to prevent passwords being transferred in clear text.

catloaf@lemm.ee on 30 Mar 13:03 collapse

You assume there is no vulnerability in the web server itself, or a vulnerability that allows bypassing authentication.

silenium_dev@feddit.org on 30 Mar 09:41 collapse

If you’re exposing memos through nginx, the SITE_URL needs to be the public url where nginx exposed memos (so exactly the same as you enter in your browser), not the Public-IP and the internal port of memos.

Thoven@lemdro.id on 30 Mar 15:24 collapse

IP and port are what I put in my browser