paradizelost/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-11-03 03:16:10 -06:00
Code Issues Packages Projects Releases Wiki Activity

add PAPERLESS_URL env variable for CSRF

Browse Source
This commit is contained in:
Michael Shamoon
2022-04-07 21:17:59 -07:00
parent 40b09d51b5
commit eb7cc30394
4 changed files with 46 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docker/compose/docker-compose.env
View File

@@ -22,6 +22,10 @@
# Docker setup does not use the configuration file. # Docker setup does not use the configuration file.
# A few commonly adjusted settings are provided below. # A few commonly adjusted settings are provided below.
# This is required if you will be exposing Paperless-ngx on a public domain
# (if doing so please consider security measures such as reverse proxy)
#PAPERLESS_URL=https://paperless.example.com
# Adjust this key if you plan to make paperless available publicly. It should # Adjust this key if you plan to make paperless available publicly. It should
# be a very long sequence of random characters. You don't need to remember it. # be a very long sequence of random characters. You don't need to remember it.
#PAPERLESS_SECRET_KEY=change-me #PAPERLESS_SECRET_KEY=change-me

12
install-paperless-ngx.sh
View File

@@ -92,6 +92,14 @@ echo ""
echo "1. Application configuration" echo "1. Application configuration"
echo "============================" echo "============================"
echo ""
echo "The URL paperless will be available at. This is required if the"
echo "installation will be accessible via the web, otherwise can be left blank."
echo ""
ask "URL" ""
URL=$ask_result
echo "" echo ""
echo "The port on which the paperless webserver will listen for incoming" echo "The port on which the paperless webserver will listen for incoming"
echo "connections." echo "connections."
@@ -278,6 +286,7 @@ if [[ "$DATABASE_BACKEND" == "postgres" ]] ; then
fi fi
fi fi
echo "" echo ""
echo "URL: $URL"
echo "Port: $PORT" echo "Port: $PORT"
echo "Database: $DATABASE_BACKEND" echo "Database: $DATABASE_BACKEND"
echo "Tika enabled: $TIKA_ENABLED" echo "Tika enabled: $TIKA_ENABLED"
@@ -313,6 +322,9 @@ SECRET_KEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 64 | head -n 1)
DEFAULT_LANGUAGES="deu eng fra ita spa" DEFAULT_LANGUAGES="deu eng fra ita spa"
{ {
if [[ ! $URL == "" ]] ; then
echo "PAPERLESS_URL=$URL"
fi
if [[ ! $USERMAP_UID == "1000" ]] ; then if [[ ! $USERMAP_UID == "1000" ]] ; then
echo "USERMAP_UID=$USERMAP_UID" echo "USERMAP_UID=$USERMAP_UID"
fi fi

6
paperless.conf.example
View File

@@ -27,8 +27,10 @@
# Security and hosting # Security and hosting
#PAPERLESS_SECRET_KEY=change-me #PAPERLESS_SECRET_KEY=change-me
#PAPERLESS_ALLOWED_HOSTS=example.com,www.example.com #PAPERLESS_URL=https://example.com
#PAPERLESS_CORS_ALLOWED_HOSTS=http://example.com,http://localhost:8000 #PAPERLESS_CSRF_TRUSTED_ORIGINS=https://example.com # can be set using PAPERLESS_URL
#PAPERLESS_ALLOWED_HOSTS=example.com,www.example.com # can be set using PAPERLESS_URL
#PAPERLESS_CORS_ALLOWED_HOSTS=https://localhost:8080,https://example.com # can be set using PAPERLESS_URL
#PAPERLESS_FORCE_SCRIPT_NAME= #PAPERLESS_FORCE_SCRIPT_NAME=
#PAPERLESS_STATIC_URL=/static/ #PAPERLESS_STATIC_URL=/static/
#PAPERLESS_AUTO_LOGIN_USERNAME= #PAPERLESS_AUTO_LOGIN_USERNAME=

33
src/paperless/settings.py
View File

@@ -4,6 +4,7 @@ import multiprocessing
import os import os
import re import re
from typing import Final from typing import Final
from urllib.parse import urlparse
from concurrent_log_handler.queue import setup_logging_queues from concurrent_log_handler.queue import setup_logging_queues
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
@@ -219,7 +220,15 @@ if DEBUG:
else: else:
X_FRAME_OPTIONS = "SAMEORIGIN" X_FRAME_OPTIONS = "SAMEORIGIN"
# We allow CORS from localhost:8080
# The next 3 settings can also be set using just PAPERLESS_URL
_csrf_origins = os.getenv("PAPERLESS_CSRF_TRUSTED_ORIGINS")
if _csrf_origins:
CSRF_TRUSTED_ORIGINS = _csrf_origins.split(",")
else:
CSRF_TRUSTED_ORIGINS = []
# We allow CORS from localhost:8000
CORS_ALLOWED_ORIGINS = tuple( CORS_ALLOWED_ORIGINS = tuple(
os.getenv("PAPERLESS_CORS_ALLOWED_HOSTS", "http://localhost:8000").split(","), os.getenv("PAPERLESS_CORS_ALLOWED_HOSTS", "http://localhost:8000").split(","),
) )
@@ -228,6 +237,22 @@ if DEBUG:
# Allow access from the angular development server during debugging # Allow access from the angular development server during debugging
CORS_ALLOWED_ORIGINS += ("http://localhost:4200",) CORS_ALLOWED_ORIGINS += ("http://localhost:4200",)
_allowed_hosts = os.getenv("PAPERLESS_ALLOWED_HOSTS")
if _allowed_hosts:
ALLOWED_HOSTS = _allowed_hosts.split(",")
else:
ALLOWED_HOSTS = ["*"]
_paperless_url = os.getenv("PAPERLESS_URL")
if _paperless_url:
_paperless_uri = urlparse(_paperless_url)
CSRF_TRUSTED_ORIGINS.append(_paperless_url)
CORS_ALLOWED_ORIGINS += (_paperless_url,)
if _allowed_hosts:
ALLOWED_HOSTS.append(_paperless_uri.hostname)
else:
ALLOWED_HOSTS = [_paperless_uri.hostname]
# The secret key has a default that should be fine so long as you're hosting # The secret key has a default that should be fine so long as you're hosting
# Paperless on a closed network. However, if you're putting this anywhere # Paperless on a closed network. However, if you're putting this anywhere
# public, you should change the key to something unique and verbose. # public, you should change the key to something unique and verbose.
@@ -236,12 +261,6 @@ SECRET_KEY = os.getenv(
"e11fl1oa-*ytql8p)(06fbj4ukrlo+n7k&q5+$1md7i+mge=ee", "e11fl1oa-*ytql8p)(06fbj4ukrlo+n7k&q5+$1md7i+mge=ee",
) )
_allowed_hosts = os.getenv("PAPERLESS_ALLOWED_HOSTS")
if _allowed_hosts:
ALLOWED_HOSTS = _allowed_hosts.split(",")
else:
ALLOWED_HOSTS = ["*"]
AUTH_PASSWORD_VALIDATORS = [ AUTH_PASSWORD_VALIDATORS = [
{ {
"NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator", "NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator",