Remove absolute URIs from settings page (#1261)

* Remove absolute URIs from admin page The rest of the links on this page are absolute paths without a specified hostname, but these in particlar use build_absolute_uri. I am running linkding behind two different load balancers which makes these links bubble up the "internal" hostname instead of the hostname I actually got to the page from. * Add LD_USE_X_FORWARDED_HOST See: https://docs.djangoproject.com/en/6.0/ref/settings/#std-setting-USE_X_FORWARDED_HOST
2026-02-27 22:43:15 +08:00 · 2026-01-05 02:25:54 -06:00
parent 50180c9684
commit fdb5b4e82d
4 changed files with 27 additions and 16 deletions
--- a/bookmarks/settings/base.py
+++ b/bookmarks/settings/base.py
@@ -217,6 +217,16 @@ if LD_ENABLE_AUTH_PROXY:
    if LD_AUTH_PROXY_LOGOUT_URL:
        LOGOUT_REDIRECT_URL = LD_AUTH_PROXY_LOGOUT_URL

+LD_USE_X_FORWARDED_HOST = os.getenv("LD_USE_X_FORWARDED_HOST", False) in (
+    True,
+    "True",
+    "true",
+    "1",
+)
+
+if LD_USE_X_FORWARDED_HOST:
+    USE_X_FORWARDED_HOST = LD_USE_X_FORWARDED_HOST
+
 # CSRF trusted origins
 trusted_origins = os.getenv("LD_CSRF_TRUSTED_ORIGINS", "")
 if trusted_origins:
--- a/bookmarks/tests/test_settings_integrations_view.py
+++ b/bookmarks/tests/test_settings_integrations_view.py
@@ -133,18 +133,18 @@ class SettingsIntegrationsViewTestCase(TestCase, BookmarkFactoryMixin, HtmlTestM

        token = FeedToken.objects.first()
        self.assertInHTML(
-            f'<a target="_blank" href="http://testserver/feeds/{token.key}/all">All bookmarks</a>',
+            f'<a target="_blank" href="/feeds/{token.key}/all">All bookmarks</a>',
            html,
        )
        self.assertInHTML(
-            f'<a target="_blank" href="http://testserver/feeds/{token.key}/unread">Unread bookmarks</a>',
+            f'<a target="_blank" href="/feeds/{token.key}/unread">Unread bookmarks</a>',
            html,
        )
        self.assertInHTML(
-            f'<a target="_blank" href="http://testserver/feeds/{token.key}/shared">Shared bookmarks</a>',
+            f'<a target="_blank" href="/feeds/{token.key}/shared">Shared bookmarks</a>',
            html,
        )
        self.assertInHTML(
-            '<a target="_blank" href="http://testserver/feeds/shared">Public shared bookmarks</a>',
+            '<a target="_blank" href="/feeds/shared">Public shared bookmarks</a>',
            html,
        )
--- a/bookmarks/views/settings.py
+++ b/bookmarks/views/settings.py
@@ -176,18 +176,11 @@ def integrations(request):
    )

    feed_token = FeedToken.objects.get_or_create(user=request.user)[0]
-    all_feed_url = request.build_absolute_uri(
-        reverse("linkding:feeds.all", args=[feed_token.key])
-    )
-    unread_feed_url = request.build_absolute_uri(
-        reverse("linkding:feeds.unread", args=[feed_token.key])
-    )
-    shared_feed_url = request.build_absolute_uri(
-        reverse("linkding:feeds.shared", args=[feed_token.key])
-    )
-    public_shared_feed_url = request.build_absolute_uri(
-        reverse("linkding:feeds.public_shared")
-    )
+
+    all_feed_url = reverse("linkding:feeds.all", args=[feed_token.key])
+    unread_feed_url = reverse("linkding:feeds.unread", args=[feed_token.key])
+    shared_feed_url = reverse("linkding:feeds.shared", args=[feed_token.key])
+    public_shared_feed_url = reverse("linkding:feeds.public_shared")

    return render(
        request,
--- a/docs/src/content/docs/options.md
+++ b/docs/src/content/docs/options.md
@@ -194,6 +194,14 @@ Multiple origins can be specified by separating them with a comma (`,`).

 This setting is adopted from the Django framework used by linkding, more information on the setting is available in the [Django documentation](https://docs.djangoproject.com/en/4.0/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS).

+### `LD_USE_X_FORWARDED_HOST`
+
+Values: `true` or `false` | Default =  `false`
+
+If enabled the server will trust the `X-Forwarded-Host` header over the `Host` header to determine the hostname of the server. This should only be enabled if a proxy which sets this header is in use.
+
+This setting is adopted from the Django framework used by linkding, more information on the setting is available in the [Django documentation](https://docs.djangoproject.com/en/6.0/ref/settings/#std-setting-USE_X_FORWARDED_HOST)
+
 ### `LD_LOG_X_FORWARDED_FOR`

 Values: `true` or `false` | Default =  `false`