From 5a3c7b145aebc1b8caf1d4651fda4c00b0de6405 Mon Sep 17 00:00:00 2001 From: Debanjum Date: Tue, 28 Jan 2025 16:10:21 +0700 Subject: [PATCH] Decouple Django CSRF, ALLOWED_HOST settings for more complex setups - Set KHOJ_ALLOWED_DOMAIN to the domain that Khoj is accessible on from the host machine. This can be the internal i.p or domain of the host machine. It can be used by your load balancer/reverse_proxy to access Khoj. For example, if the load balancer service is in the khoj docker network, KHOJ_DOMAIN will be `server' (i.e service name). - Set KHOJ_DOMAIN to your externally accessible DOMAIN or I.P to avoid CSRF trusted origin or unset cookie issue when trying to access the khoj admin panel. Resolves #1114 --- docker-compose.yml | 8 +++++++- documentation/docs/get-started/setup.mdx | 7 ++++++- src/khoj/app/settings.py | 5 +++-- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 053dbbbe..22371182 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -81,12 +81,18 @@ services: # - OLOSTEP_API_KEY=your_olostep_api_key # # Uncomment the necessary lines below to make your instance publicly accessible. - # Replace the KHOJ_DOMAIN with either your domain or IP address (no http/https prefix). # Proceed with caution, especially if you are using anonymous mode. # --- # - KHOJ_NO_HTTPS=True + # Replace the KHOJ_DOMAIN with the server's externally accessible domain or I.P address from a remote machie (no http/https prefix). + # Ensure this is set correctly to avoid CSRF trusted origin or unset cookie issue when trying to access the admin panel. # - KHOJ_DOMAIN=192.168.0.104 # - KHOJ_DOMAIN=khoj.example.com + # Replace the KHOJ_ALLOWED_DOMAIN with the server's internally accessible domain or I.P address on the host machine (no http/https prefix). + # Only set if using a load balancer/reverse_proxy in front of your Khoj server. If unset, it defaults to KHOJ_DOMAIN. + # For example, if the load balancer service is added to the khoj docker network, set KHOJ_ALLOWED_DOMAIN to khoj's docker service name: `server'. + # - KHOJ_ALLOWED_DOMAIN=server + # - KHOJ_ALLOWED_DOMAIN=127.0.0.1 # Uncomment the line below to disable telemetry. # Telemetry helps us prioritize feature development and understand how people are using Khoj # Read more at https://docs.khoj.dev/miscellaneous/telemetry diff --git a/documentation/docs/get-started/setup.mdx b/documentation/docs/get-started/setup.mdx index cf71b441..c6cdec42 100644 --- a/documentation/docs/get-started/setup.mdx +++ b/documentation/docs/get-started/setup.mdx @@ -283,9 +283,14 @@ Go to http://localhost:42110/server/admin and login with the admin credentials y Ensure you are using **localhost, not 127.0.0.1**, to access the admin panel to avoid the CSRF error. ::: +:::info[CSRF Trusted Origin or Unset Cookie Error] +If using a load balancer/reverse_proxy in front of your Khoj server: Set the environment variable KHOJ_ALLOWED_DOMAIN=your-internal-ip-or-domain to avoid this error. +If unset, it defaults to KHOJ_DOMAIN. +::: + :::info[DISALLOWED HOST or Bad Request (400) Error] You may hit this if you try access Khoj exposed on a custom domain (e.g. 192.168.12.3 or example.com) or over HTTP. -Set the environment variables KHOJ_DOMAIN=your-domain and KHOJ_NO_HTTPS=True if required to avoid this error. +Set the environment variables KHOJ_DOMAIN=your-external-ip-or-domain and KHOJ_NO_HTTPS=True if required to avoid this error. ::: :::tip[Note] diff --git a/src/khoj/app/settings.py b/src/khoj/app/settings.py index 708e11d0..48879f60 100644 --- a/src/khoj/app/settings.py +++ b/src/khoj/app/settings.py @@ -32,7 +32,8 @@ DEBUG = in_debug_mode() # All Subdomains of KHOJ_DOMAIN are trusted KHOJ_DOMAIN = os.getenv("KHOJ_DOMAIN", "khoj.dev") -ALLOWED_HOSTS = [f".{KHOJ_DOMAIN}", "localhost", "127.0.0.1", "[::1]", f"{KHOJ_DOMAIN}"] +KHOJ_ALLOWED_DOMAIN = os.getenv("KHOJ_ALLOWED_DOMAIN", KHOJ_DOMAIN) +ALLOWED_HOSTS = [f".{KHOJ_ALLOWED_DOMAIN}", "localhost", "127.0.0.1", "[::1]", f"{KHOJ_ALLOWED_DOMAIN}"] CSRF_TRUSTED_ORIGINS = [ f"https://*.{KHOJ_DOMAIN}", @@ -45,7 +46,7 @@ CSRF_TRUSTED_ORIGINS = [ DISABLE_HTTPS = is_env_var_true("KHOJ_NO_HTTPS") COOKIE_SAMESITE = "None" -if DEBUG or os.getenv("KHOJ_DOMAIN") == None: +if DEBUG and os.getenv("KHOJ_DOMAIN") == None: SESSION_COOKIE_DOMAIN = "localhost" CSRF_COOKIE_DOMAIN = "localhost" else: