search

CaramelFur / Picsur

An easy to use, selfhostable image sharing service like Imgur with built in converting
https://picsur.org/
GNU Affero General Public License v3.0
774 stars 41 forks source link

Cross-Origin Resource Policy (CORS) and Apache issues #52

Closed jason-weiser closed 8 months ago

jason-weiser commented 1 year ago

Hi! Thank you so much for your work on this project. I just started it up and it seems like it's exactly what I'm looking for.

I am having one issue, though, and I'm almost certain it has to do with my config.

I have everything behind an Apache reverse proxy and I can access my site, upload, and view images on there just fine, but when I try to embed those images into a different website, I get this error in firefox:

'The resource at “https://MYSITE.jpg” was blocked due to its Cross-Origin-Resource-Policy header (or lack thereof). See https://developer.mozilla.org/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)#'

Here is my docker-compose.yml:

version: '3'
services:
  picsur:
    image: ghcr.io/caramelfur/picsur:latest
    container_name: picsur
    ports:
      - '8080:8080'
    environment:
      PICSUR_HOST: '0.0.0.0'
      PICSUR_PORT: 8080
      PICSUR_DB_HOST: picsur_postgres
      # PICSUR_DB_PORT: 5432
      # PICSUR_DB_USERNAME: picsur
      # PICSUR_DB_PASSWORD: picsur
      # PICSUR_DB_DATABASE: picsur

      ## The default username is admin, this is not modifyable
      PICSUR_ADMIN_PASSWORD: PASSWORDDD

      ## Optional, random secret will be generated if not set
      # PICSUR_JWT_SECRET: CHANGE_ME
      # PICSUR_JWT_EXPIRY: 7d

      ## Maximum accepted size for uploads in bytes
      # PICSUR_MAX_FILE_SIZE: 128000000
      ## No need to touch this, unless you use a custom frontend
      # PICSUR_STATIC_FRONTEND_ROOT: "/picsur/frontend/dist"

      ## Warning: Verbose mode might log sensitive data
      # PICSUR_VERBOSE: "true"
    restart: unless-stopped
  picsur_postgres:
    image: postgres:14-alpine
    container_name: picsur_postgres
    environment:
      POSTGRES_DB: picsur
      POSTGRES_PASSWORD: picsur
      POSTGRES_USER: picsur
    restart: unless-stopped
    volumes:
      - /location/for/volume/picsur-data:/var/lib/postgresql/data
#volumes:
#picsur-data:

And here's my Apache conf:

<VirtualHost *:443>
    ServerName picsur.mysite.tld
    SSLEngine on
    SSLProxyEngine On
    ProxyPreserveHost On
    Header set Access-Control-Allow-Origin: "*"
    ProxyPass /  http://0.0.0.0:8080/
    ProxyPassReverse /  http://0.0.0.0:8080/
    RequestHeader set X-Forwarded-Proto "https"

SSLCertificateFile file.pem
SSLCertificateKeyFile file.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost *:80>
    ServerName picsur.mysite.tld
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =picsur.mysite.tld
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Like I said, I'm almost certain it's an issue with my config, but I can't seem to figure out what that is. Would you happen to know?

krhnoo commented 1 year ago

I'm going to guesstimate that this is the change that causes this:

https://github.com/CaramelFur/Picsur/commit/b8db72bac44a858ccc5319ddee2b6d83c81ed4a9#diff-0c2985c7b189bc65e8ded71e24c833e2d788288beaba00cad243a42ce5c625a2

Reverting back to 0.5.1 fixed this for me.

crosa7 commented 1 year ago

I am also having the same issue, cant request images from my website. Reverting to 0.5.1 like @krhnoo suggested, fixed the issue

chennin commented 1 year ago

Same. Nginx solution snippet:

      add_header Access-Control-Allow-Origin *;
      proxy_hide_header cross-origin-resource-policy;
      add_header cross-origin-resource-policy cross-origin;
mptpro commented 10 months ago

Do y'all think this is the cause of my problem? #64

ERR1R commented 10 months ago

This works for me but only when i added this line:

Header always set Cross-Origin-Resource-Policy "cross-origin"

my config for apache:

<VirtualHost yourdomain.com:443>
ServerName yourdomain.com

        SSLEngine on
    SSLCertificateFile fullchain.pem
    SSLCertificateKeyFile privkey.pem
    SSLCertificateChainFile fullchain.pem
    SSLUseStapling on
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLProtocol +TLSv1.2 +TLSv1.3
    SSLHonorCipherOrder On

    SSLProxyEngine On
        ProxyPreserveHost On
        ProxyPass / http://localhost:8286/
        ProxyPassReverse / http://localhost:8286/
    RequestHeader set X-Forwarded-Proto "https"

        Header always set Access-Control-Allow-Origin "yourdomain.com"
        Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
        Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
        Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
        Header always set Access-Control-Max-Age "600"
    Header always set Cross-Origin-Resource-Policy "cross-origin"

    #RemoteIPHeader CF-Connecting-IP
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
XintaoPeach commented 9 months ago

i have the same problem,back to version 0.5.1, the problem has been solved

CaramelFur commented 8 months ago

should be fixed in next version