From fdb5b4e82dcbb266e99f5ef1e3346b38a93910ac Mon Sep 17 00:00:00 2001
From: Aidan Coyle <packrat386@gmail.com>
Date: Mon, 5 Jan 2026 02:25:54 -0600
Subject: [PATCH] Remove absolute URIs from settings page (#1261)

* Remove absolute URIs from admin page

The rest of the links on this page are absolute paths without a
specified hostname, but these in particlar use build_absolute_uri. I
am running linkding behind two different load balancers which makes
these links bubble up the "internal" hostname instead of the hostname
I actually got to the page from.

* Add LD_USE_X_FORWARDED_HOST

See: https://docs.djangoproject.com/en/6.0/ref/settings/#std-setting-USE_X_FORWARDED_HOST
---
 bookmarks/settings/base.py                      | 10 ++++++++++
 .../tests/test_settings_integrations_view.py    |  8 ++++----
 bookmarks/views/settings.py                     | 17 +++++------------
 docs/src/content/docs/options.md                |  8 ++++++++
 4 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/bookmarks/settings/base.py b/bookmarks/settings/base.py
index 53993b4..44f8813 100644
--- a/bookmarks/settings/base.py
+++ b/bookmarks/settings/base.py
@@ -217,6 +217,16 @@ if LD_ENABLE_AUTH_PROXY:
     if LD_AUTH_PROXY_LOGOUT_URL:
         LOGOUT_REDIRECT_URL = LD_AUTH_PROXY_LOGOUT_URL
 
+LD_USE_X_FORWARDED_HOST = os.getenv("LD_USE_X_FORWARDED_HOST", False) in (
+    True,
+    "True",
+    "true",
+    "1",
+)
+
+if LD_USE_X_FORWARDED_HOST:
+    USE_X_FORWARDED_HOST = LD_USE_X_FORWARDED_HOST
+
 # CSRF trusted origins
 trusted_origins = os.getenv("LD_CSRF_TRUSTED_ORIGINS", "")
 if trusted_origins:
diff --git a/bookmarks/tests/test_settings_integrations_view.py b/bookmarks/tests/test_settings_integrations_view.py
index 11fe90e..7fdb6cf 100644
--- a/bookmarks/tests/test_settings_integrations_view.py
+++ b/bookmarks/tests/test_settings_integrations_view.py
@@ -133,18 +133,18 @@ class SettingsIntegrationsViewTestCase(TestCase, BookmarkFactoryMixin, HtmlTestM
 
         token = FeedToken.objects.first()
         self.assertInHTML(
-            f'<a target="_blank" href="http://testserver/feeds/{token.key}/all">All bookmarks</a>',
+            f'<a target="_blank" href="/feeds/{token.key}/all">All bookmarks</a>',
             html,
         )
         self.assertInHTML(
-            f'<a target="_blank" href="http://testserver/feeds/{token.key}/unread">Unread bookmarks</a>',
+            f'<a target="_blank" href="/feeds/{token.key}/unread">Unread bookmarks</a>',
             html,
         )
         self.assertInHTML(
-            f'<a target="_blank" href="http://testserver/feeds/{token.key}/shared">Shared bookmarks</a>',
+            f'<a target="_blank" href="/feeds/{token.key}/shared">Shared bookmarks</a>',
             html,
         )
         self.assertInHTML(
-            '<a target="_blank" href="http://testserver/feeds/shared">Public shared bookmarks</a>',
+            '<a target="_blank" href="/feeds/shared">Public shared bookmarks</a>',
             html,
         )
diff --git a/bookmarks/views/settings.py b/bookmarks/views/settings.py
index bfdf083..ff096de 100644
--- a/bookmarks/views/settings.py
+++ b/bookmarks/views/settings.py
@@ -176,18 +176,11 @@ def integrations(request):
     )
 
     feed_token = FeedToken.objects.get_or_create(user=request.user)[0]
-    all_feed_url = request.build_absolute_uri(
-        reverse("linkding:feeds.all", args=[feed_token.key])
-    )
-    unread_feed_url = request.build_absolute_uri(
-        reverse("linkding:feeds.unread", args=[feed_token.key])
-    )
-    shared_feed_url = request.build_absolute_uri(
-        reverse("linkding:feeds.shared", args=[feed_token.key])
-    )
-    public_shared_feed_url = request.build_absolute_uri(
-        reverse("linkding:feeds.public_shared")
-    )
+
+    all_feed_url = reverse("linkding:feeds.all", args=[feed_token.key])
+    unread_feed_url = reverse("linkding:feeds.unread", args=[feed_token.key])
+    shared_feed_url = reverse("linkding:feeds.shared", args=[feed_token.key])
+    public_shared_feed_url = reverse("linkding:feeds.public_shared")
 
     return render(
         request,
diff --git a/docs/src/content/docs/options.md b/docs/src/content/docs/options.md
index df10b53..f1e4bda 100644
--- a/docs/src/content/docs/options.md
+++ b/docs/src/content/docs/options.md
@@ -194,6 +194,14 @@ Multiple origins can be specified by separating them with a comma (`,`).
 
 This setting is adopted from the Django framework used by linkding, more information on the setting is available in the [Django documentation](https://docs.djangoproject.com/en/4.0/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS).
 
+### `LD_USE_X_FORWARDED_HOST`
+
+Values: `true` or `false` | Default =  `false`
+
+If enabled the server will trust the `X-Forwarded-Host` header over the `Host` header to determine the hostname of the server. This should only be enabled if a proxy which sets this header is in use.
+
+This setting is adopted from the Django framework used by linkding, more information on the setting is available in the [Django documentation](https://docs.djangoproject.com/en/6.0/ref/settings/#std-setting-USE_X_FORWARDED_HOST)
+
 ### `LD_LOG_X_FORWARDED_FOR`
 
 Values: `true` or `false` | Default =  `false`