CORS problem.. Reverse proxy and authentication about cobalt HOT 6 CLOSED

hi,

Is it possible to have such configuration where there is no need to expose cobalt-api?

you will always need to expose it in some way, as the "web" part is just a frontend that does not handle any downloading logic. one way of exposing it while keeping cors=0 could be to put it on the same (sub)domain as cobalt-web, but on a subpath.

for example, suppose that you want to use the subdomain cobalt.example.com for your instance. You could do:

version: '3.7'

services:
    cobalt-api:
        image: ghcr.io/wukko/cobalt:7
        restart: unless-stopped
        container_name: cobalt-api
        init: true
        ports:
            - 127.0.0.1:9000:9000/tcp
        environment:
            - cors=0
            - apiURL=https://cobalt.example.com/
            - apiName=cobalt-api

    cobalt-web:
        image: ghcr.io/wukko/cobalt:7
        restart: unless-stopped
        container_name: cobalt-web
        init: true
        ports:
            - 127.0.0.1:9001:9001/tcp
        environment:
            - webURL=https://cobalt.example.com/
            - apiURL=https://cobalt.example.com/

and then configure your webserver to proxy the requests accordingly.
i don't know what web server you use, but here is a minimal example of how such configuration could look in nginx (sans additional SSL configuration):

# /etc/nginx/conf.d/cobalt.conf
upstream cobalt-api {
    server 127.0.0.1:9000  max_fails=0;
}

upstream cobalt-web {
    server 127.0.0.1:9001  max_fails=0;
}

server {
	listen 80;
	server_name cobalt.example.com;

	location / {
		proxy_pass http://cobalt-web;
	}

        location /api {
		proxy_pass http://cobalt-api/api;
        }
}

from cobalt.

Can you confirm, that there is no straightforward way to setup authentication in front of cobalt, while having frontend and backend on two different domains, because of the CORS issue? (e.g.: cobalt.domain.tld & cobalt-api.domain.tld)

The problem is not so much CORS in this case (that can be taken care of by setting the webURL env for the API if cors=0 is set) as that you will need to make sure that when you authenticate against cobalt.domain.tld with whatever authentication mechanism you put there, that this session will also apply to cobalt-api.domain.tld - for example, when using cookies, your authentication mechanism would need to set a cookie for .domain.tld (which basically means it applies for *.domain.tld) and not cobalt.domain.tld, because then you would obviously not be authenticated against the API subdomain (and you have no real way of authenticating against it anyways).

from cobalt.

actually, reviewing the source code, yes, you are right in that you are unable to set the CORS origin due to how cobalt determines whether it should run in API or web mode -- this is most likely an oversight, and so i will try to think of a way to fix this in the future

from cobalt.

Thanks both of you. Managed to successfully configure it as suggested.

from cobalt.

@dumbmoron I am using almost the exact setup of reverse proxy that you provided, but via Traefik. It took me (literally) the entire day to figure that out.

Can you confirm, that there is no straightforward way to setup authentication in front of cobalt, while having frontend and backend on two different domains, because of the CORS issue? (e.g.: cobalt.domain.tld & cobalt-api.domain.tld)

from cobalt.

you are right in that you are unable to set the CORS origin due to how cobalt determines whether it should run in API or web mode

fixed in 7.10.3, webURL was replaced with CORS_URL, just like in wip 8.0 :D

from cobalt.