Konfigurierbares CORS per ZMB_CORS_ORIGINS + dynamische Frontend-URL
- main.py: CORS-Origins aus ZMB_CORS_ORIGINS (kommagetrennt), Default "*" - allow_credentials automatisch aktiv bei konkreten Origins, aus bei "*" - Root-Endpoint liefert Frontend-URL dynamisch via request.base_url - keine hartkodierten IPs mehr im Anwendungscode - Doku in CLAUDE.md und systemd-Unit ergaenzt Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -343,7 +343,7 @@ Useful on weak hardware: ISR pre-computes static pages on rebuild, serving cache
|
||||
2. **User Persistence**: System users (Linux) and Samba users are stored on disk and survive application updates. No user re-creation needed on redeployment.
|
||||
3. **ZFS Commands**: Require root or proper sudo configuration. Test with `sudo zpool list`.
|
||||
4. **Frontend Build on Pi**: Node.js build is slow on ARM64 (4-10 min). Build on x86 and copy instead.
|
||||
5. **CORS in Production**: Default allows all origins (`["*"]`). Change in `main.py` before exposing.
|
||||
5. **CORS in Production**: Configurable via the `ZMB_CORS_ORIGINS` environment variable (comma-separated list of allowed origins). Defaults to `["*"]` when unset (development). Set specific origins before exposing, e.g. `ZMB_CORS_ORIGINS=https://<host>:8090`. Note: when concrete origins are set, `allow_credentials` is automatically enabled; with the `"*"` wildcard it is disabled (CORS spec forbids combining the two). Configure it in the systemd unit (`deploy/zfs-manager-backend.service`).
|
||||
6. **Static Export Mode**: Cannot use dynamic API routes in Next.js. All data fetched client-side.
|
||||
7. **Port 8090**: Default for ZMB Webui (HTTPS via nginx). Adjust in nginx/systemd if needed.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user