From f22ebaf9a413cd38096a1364c8286b4dee5d1bd5 Mon Sep 17 00:00:00 2001 From: Ian Renton Date: Sat, 4 Oct 2025 12:25:28 +0100 Subject: [PATCH] nginx config notes --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a93a218..9c64928 100644 --- a/README.md +++ b/README.md @@ -84,6 +84,10 @@ It's best not to serve Spothole directly on port 80, as that requires root privi Create a file at `/etc/nginx/sites-available/` called `spothole`. Give it the following contents, replacing `spothole.m0trt.radio` with the domain name on which you want to run Spothole. If you changed the port on which Spothole runs, update that on the "proxy_pass" line too. ```nginx +map $request_uri $xssorigin { + ~^/api *; +} + server { server_name spothole.m0trt.radio; @@ -93,14 +97,14 @@ server { } location / { - add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Origin $xssorigin; proxy_pass http://127.0.0.1:8080; } } ``` -One further change you might want to make to the file above is the `add_header Access-Control-Allow-Origin *;` statement. This is what's used on -my own Spothole server to make sure that other third-party web-based software can get the data from my instance. If you want +One further change you might want to make to the file above is the `add_header Access-Control-Allow-Origin` statement. This is what's used on +my own Spothole server to make sure that other third-party web-based software can get the data from my instance, and applies to any endpoint underneath `/api`. If you want *your* Spothole instance to be set up the same way, so that others can write software in JavaScript that can access it, leave this intact. But if you want your Spothole instance to only be usable by scripts running on the web server you write, you can remove this block. (Note that this doesn't stop other people writing *non-web-based* software that accesses your