this post was submitted on 29 Mar 2025
16 points (94.4% liked)

Selfhosted

60281 readers
486 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
16
submitted 1 year ago* (last edited 1 year ago) by Thoven to c/selfhosted@lemmy.world
 

Running joplin and memos in docker, routed through nginx. Since I don't own a domain I'm just using my public ip with ports and port forwarding. Joplin was throwing the same invalid origin error, but worked after I set APP_BASE_URL: http://<IP>:<port>. I tried setting SITE_URL=http://<IP>:<port2> under environment, which I've read is supposed to fix this exact problem. Same error. The error displays the correct address including port number, so I know that's being passed correctly. I've tried several different variations of the Host, Origin, and Referer header without success. Just for fun I tried directly exposing <port2> on the memos instance and it opened right up in the browser.

PS: Yes, I know I should be using https. I'm lazy. Setting up a cert is on the old todo list.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] silenium_dev@feddit.org 1 points 1 year ago* (last edited 1 year ago) (1 children)

There's no reason not to expose those services to the Internet, they have authentication, and noone can access them without logging in first. There are actually reasons for exposing them, you can share a memo or a file to other people. You should enable HTTPS though to prevent passwords being transferred in clear text.

[โ€“] catloaf@lemm.ee 2 points 1 year ago

You assume there is no vulnerability in the web server itself, or a vulnerability that allows bypassing authentication.