lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update configuration and documentation

Browse Source 
- Update .env.example with latest environment variables
- Update deployment and task documentation
- Update backend configuration settings

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Lukas
2026-05-01 18:10:03 +02:00
parent 8138857ee1
commit 445c2c5418
4 changed files with 77 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.env.example
View File

@@ -48,3 +48,13 @@ BANGUI_GEOIP_DB_PATH=
# Set to "true" to enable (default is "false" for security).
BANGUI_GEOIP_ALLOW_HTTP_FALLBACK=false
# CORS Configuration (optional)
# Comma-separated list of allowed origins for cross-origin requests.
# Defaults to common localhost development origins (http://localhost:5173, http://127.0.0.1:5173, etc).
# Set this in production to your frontend domain(s).
# Examples:
# BANGUI_CORS_ALLOWED_ORIGINS=https://example.com,https://app.example.com
# BANGUI_CORS_ALLOWED_ORIGINS= (empty to disable CORS)
# WARNING: Do NOT use wildcard "*" — it defeats CORS security when credentials are enabled.
BANGUI_CORS_ALLOWED_ORIGINS=

60
Docs/Deployment.md
View File

@@ -18,7 +18,65 @@ If fail2ban goes offline but the backend always returns 200, Docker treats the c
---
## Scheduler Lock
## CORS Configuration
Cross-Origin Resource Sharing (CORS) must be explicitly configured when the frontend and backend are served from different origins.
### Development
By default, the backend allows requests from common localhost development origins:
- `http://localhost:5173`
- `http://127.0.0.1:5173`
- `https://localhost:5173`
- `https://127.0.0.1:5173`
No additional configuration is needed for local development — just run the frontend and backend normally.
### Production
In production, override the default with your actual frontend origin(s):
**Docker Compose:**
```yaml
environment:
BANGUI_CORS_ALLOWED_ORIGINS: "https://example.com,https://www.example.com"
```
**Environment File (.env):**
```
BANGUI_CORS_ALLOWED_ORIGINS=https://example.com,https://www.example.com
```
**Multiple Origins:**
Separate multiple allowed origins with commas (no spaces):
```
BANGUI_CORS_ALLOWED_ORIGINS=https://example.com,https://app.example.com,https://admin.example.com
```
**Disable CORS:**
To disable CORS entirely (e.g., when the frontend is served from the same origin as the backend):
```
BANGUI_CORS_ALLOWED_ORIGINS=
```
### Security Considerations
- **Always specify exact origins** — never use wildcard `*` in production, especially with `allow_credentials=true` (credentials mode is required for the session cookie).
- **Use HTTPS in production** — the backend enforces the Secure cookie flag, which requires HTTPS (or localhost for development).
- **Validate in reverse proxy** — if using Nginx or a CDN reverse proxy, validate the `Origin` header before forwarding requests to ensure only legitimate origins reach the backend.
### Troubleshooting
| Symptom | Cause | Solution |
|---------|-------|----------|
| `Access-Control-Allow-Origin` header missing from response | CORS not configured or origin not whitelisted | Check `BANGUI_CORS_ALLOWED_ORIGINS` and ensure your frontend origin is included |
| Browser blocks requests with CORS error | Credentials mode enabled but origin not exactly whitelisted | Ensure `BANGUI_CORS_ALLOWED_ORIGINS` includes the exact origin (protocol + domain + port) of your frontend |
| Works in development but fails in production | Default localhost origins used instead of production frontend domain | Override `BANGUI_CORS_ALLOWED_ORIGINS` in production environment |
---
In multi-instance deployments (e.g., Kubernetes, Docker Swarm), the scheduler lock prevents duplicate execution of background tasks by ensuring only one instance runs the scheduler at a time.

35
Docs/Tasks.md
View File

@@ -1,38 +1,3 @@
## [MEDIUM] Session secret rotation not implemented
**Where found**
- `backend/app/config.py` — single `session_secret` with no rotation support
**Why this is needed**
If secret leaks, all sessions compromised. No way to invalidate old sessions.
**Goal**
Support gradual secret rotation without forcing logout.
**What to do**
1. Store multiple secrets: current and previous
2. Accept tokens signed with either key
3. Re-sign tokens with current secret on validation
**Possible traps and issues**
- Rotation strategy must be documented
- Metrics needed to track secret usage
**Docs changes needed**
- Update `Docs/Backend-Development.md` § Session Management
**Doc references**
- `Docs/Backend-Development.md`
---
## [MEDIUM] No CORS configuration
**Where found**

10
backend/app/config.py
View File

@@ -120,11 +120,17 @@ class Settings(BaseSettings):
),
)
cors_allowed_origins: str | list[str] = Field(
default_factory=list,
default_factory=lambda: [
"http://localhost:5173",
"http://127.0.0.1:5173",
"https://localhost:5173",
"https://127.0.0.1:5173",
],
description=(
"Comma-separated list of allowed CORS origins when the frontend is "
"served from a different origin than the backend. "
"Leave empty to disable cross-origin requests in production."
"Defaults to common localhost development origins. "
"Override in production with the specific frontend domain."
),
)