[GH-ISSUE #724] Discussion: Serve in a subfolder #3477

New issue

Closed

opened 2026-03-14 23:06:48 +03:00 by kerem · 9 comments

kerem commented 2026-03-14 23:06:48 +03:00

Owner

Copy link

Originally created by @danisztls on GitHub (Apr 26, 2021).
Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/724

Current paths are:

mydomain/public/...
mydomain/private/...
mydomain/static/...

I suggest optionally having it under a subfolder to make it easier to put ArchiveBox under a reverse proxy like Nginx.

mydomain/archivebox/public/...
mydomain/archivebox/private/...
mydomain/archivebox/static/...

Is it feasable?

Originally created by @danisztls on GitHub (Apr 26, 2021). Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/724 Current paths are: ``` mydomain/public/... mydomain/private/... mydomain/static/... ``` I suggest optionally having it under a subfolder to make it easier to put ArchiveBox under a reverse proxy like Nginx. ``` mydomain/archivebox/public/... mydomain/archivebox/private/... mydomain/archivebox/static/... ``` Is it feasable?

kerem 2026-03-14 23:06:48 +03:00

• closed this issue
• added the
  touches: configuration
  size: hard
  why: security
  status: wontfix
  labels

kerem commented 2026-03-14 23:07:04 +03:00

Author

Owner

Copy link

@pirate commented on GitHub (Apr 27, 2021):

It's pretty difficult, but not impossible, there are a lot of /relative urls all over the codebase. A bunch are in the static html too, so it's hard to change them after-the-fact since they wouldn't be re-rendered after you reconfigure it automatically.

<!-- gh-comment-id:827974085 --> @pirate commented on GitHub (Apr 27, 2021): It's pretty difficult, but not impossible, there are a lot of `/relative` urls all over the codebase. A bunch are in the static html too, so it's hard to change them after-the-fact since they wouldn't be re-rendered after you reconfigure it automatically.

kerem commented 2026-03-14 23:07:10 +03:00

Author

Owner

Copy link

@pirate commented on GitHub (Apr 27, 2021):

Reopening because I do want to allow this to be done eventually when I have time, it just probably wont be done anytime soon.

<!-- gh-comment-id:828032588 --> @pirate commented on GitHub (Apr 27, 2021): Reopening because I do want to allow this to be done eventually when I have time, it just probably wont be done anytime soon.

kerem commented 2026-03-14 23:07:15 +03:00

Author

Owner

Copy link

@FraMecca commented on GitHub (Aug 18, 2021):

What about this:
https://ubuntu.com/blog/django-behind-a-proxy-fixing-absolute-urls

<!-- gh-comment-id:901203051 --> @FraMecca commented on GitHub (Aug 18, 2021): What about this: https://ubuntu.com/blog/django-behind-a-proxy-fixing-absolute-urls

kerem commented 2026-03-14 23:07:20 +03:00

Author

Owner

Copy link

@mhfowler commented on GitHub (Aug 18, 2021):

fwiw this would be helpful for the purpose of packaging archivebox as a yunohost package, something I've been working on. discussed here https://forum.yunohost.org/t/nginx-config-for-path/16887

<!-- gh-comment-id:901217195 --> @mhfowler commented on GitHub (Aug 18, 2021): fwiw this would be helpful for the purpose of packaging archivebox as a yunohost package, something I've been working on. discussed here https://forum.yunohost.org/t/nginx-config-for-path/16887

kerem commented 2026-03-14 23:07:25 +03:00

Author

Owner

Copy link

@ss89 commented on GitHub (Mar 12, 2022):

i'd also like to see this feature

<!-- gh-comment-id:1065898871 --> @ss89 commented on GitHub (Mar 12, 2022): i'd also like to see this feature

kerem commented 2026-03-14 23:07:30 +03:00

Author

Owner

Copy link

@pirate commented on GitHub (Mar 13, 2022):

Doing this breaks a surprising amount of things because of how relative paths are written statically to the filesystem in the index.json/html files. It's fixable with rewriting in a Django middleware but it's complicated and there are a lot of edge cases and it's still low on my personal priority list.

<!-- gh-comment-id:1066028025 --> @pirate commented on GitHub (Mar 13, 2022): Doing this breaks a surprising amount of things because of how relative paths are written statically to the filesystem in the index.json/html files. It's fixable with rewriting in a Django middleware but it's complicated and there are a lot of edge cases and it's still low on my personal priority list.

kerem commented 2026-03-14 23:07:35 +03:00

Author

Owner

Copy link

@hellodword commented on GitHub (Feb 28, 2023):

totally agree

<!-- gh-comment-id:1448115048 --> @hellodword commented on GitHub (Feb 28, 2023): totally agree

kerem commented 2026-03-14 23:07:40 +03:00

Author

Owner

Copy link

@pirate commented on GitHub (Feb 28, 2023):

I think I'm actually going to close this as wontfix because of the security issues. ArchiveBox really should only be hosted from a dedicated subdomain, because it's extremely risky to rehost archived JS on a domain shared with other sites. It breaks CORS / CSRF / CSP and many other web security mechanisms to have untrusted content and JS on a domain shared with other apps. It's already risky enough hosting the admin UI on the same domain as snapshot content, let alone exposing that risk to other apps.

It's the same reason why user-uploaded content is stored on xxx.googleusercontent.com instead of google.com, or raw.githubusercontent.com instead of github.com. Most big companies don't keep arbitrary untrusted web content on the same domain (even subdomain) as trusted application code. It's very hard to sanitize HTML/JS/CSS 100% perfectly, rather than take the risk they just quarantine it on a domain with no auth cookies. https://security.googleblog.com/2012/08/content-hosting-for-modern-web.html

For more info see here: https://github.com/ArchiveBox/ArchiveBox/issues/239

<!-- gh-comment-id:1448573113 --> @pirate commented on GitHub (Feb 28, 2023): I think I'm actually going to close this as `wontfix` because of the security issues. ArchiveBox really should only be hosted from a dedicated subdomain, because it's extremely risky to rehost archived JS on a domain shared with other sites. It breaks CORS / CSRF / CSP and many other web security mechanisms to have untrusted content and JS on a domain shared with other apps. It's already risky enough hosting the admin UI on the same domain as snapshot content, let alone exposing that risk to other apps. It's the same reason why user-uploaded content is stored on `xxx.googleusercontent.com` instead of `google.com`, or `raw.githubusercontent.com` instead of `github.com`. Most big companies don't keep arbitrary untrusted web content on the same domain (even subdomain) as trusted application code. It's very hard to sanitize HTML/JS/CSS 100% perfectly, rather than take the risk they just quarantine it on a domain with no auth cookies. https://security.googleblog.com/2012/08/content-hosting-for-modern-web.html For more info see here: https://github.com/ArchiveBox/ArchiveBox/issues/239

kerem commented 2026-03-14 23:07:45 +03:00

Author

Owner

Copy link

@sasasqt commented on GitHub (Aug 22, 2023):

well, if you insist, here is the nginx code that redirect yourdomain/archivebox/ to 127.0.0.1:8000

http {
    map "$http_referer$request_method" $archivebox_post {
        default 0;
        "~.*/archivebox/.*POST" 1;
    }
    map "$http_referer$request_method" $archivebox_get {
        default 0;
        "~.*/archivebox/.*GET" 1;
    }
    server {
        location / {
            root   html;
            index  index.html index.htm;
            if ($archivebox_post) {
                return 307 /archivebox/$request_uri;
            }
            if ($archivebox_get) {
                return 301 /archivebox/$request_uri;
            }
        }
        location /archivebox {
            return 302 /archivebox/;
        }
        location /archivebox/ {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_redirect / /archivebox/;
            proxy_pass http://127.0.0.1:8000/;
        }
    }
}

<!-- gh-comment-id:1688647925 --> @sasasqt commented on GitHub (Aug 22, 2023): well, if you insist, here is the nginx code that redirect yourdomain/archivebox/ to 127.0.0.1:8000 ``` http { map "$http_referer$request_method" $archivebox_post { default 0; "~.*/archivebox/.*POST" 1; } map "$http_referer$request_method" $archivebox_get { default 0; "~.*/archivebox/.*GET" 1; } server { location / { root html; index index.html index.htm; if ($archivebox_post) { return 307 /archivebox/$request_uri; } if ($archivebox_get) { return 301 /archivebox/$request_uri; } } location /archivebox { return 302 /archivebox/; } location /archivebox/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect / /archivebox/; proxy_pass http://127.0.0.1:8000/; } } } ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

main

abx-dl-refactor

claude/issue-1688-20251229-2233

claude/s3-support-migration-JZQcf

claude/review-snapshot-archive-RJOkr

claude/review-code-quality-macdO

claude/reduce-chrome-duplication-JgWVr

fix/chrome-args-comma-parsing

claude/issue-668-20251229-2145

claude/issue-1664-20251229-2236

v086

claude/improve-test-suite-xm6Bh

claude/typescript-archivebox-rewrite-011CUmPyEmECnkXwyHRT9RPF

claude/archivebox-schema-orm-comparison-011CUn26GurEpLiBUq4zjVLJ

stable

logfire

plugins-browsertrix

v072

link-removal2

v0.8.6rc1

v0.7.3

v0.8.6rc0

v0.8.5rc53

v0.8.5rc51

v0.8.5rc50

v0.8.5rc49

v0.8.5rc48

v0.8.5rc47

v0.8.5rc46

v0.8.5rc45

v0.8.5rc44

v0.8.5rc43

v0.8.5rc42

v0.8.5rc41

v0.8.5rc40

v0.8.5rc39

v0.8.5rc38

v0.8.5rc37

v0.8.5rc36

v0.8.5rc35

v0.8.5rc34

v0.8.5rc33

v0.8.5rc32

v0.8.5rc31

v0.8.5rc30

v0.8.5rc29

v0.8.5rc28

v0.8.5rc27

v0.8.5rc26

v0.8.5rc25

v0.8.5rc24

v0.8.5rc23

v0.8.5rc22

v0.8.5rc13

v0.8.5rc12

v0.8.5rc11

v0.8.5rc10

v0.8.5rc9

v0.8.5rc8

v0.8.5rc6

v0.8.5rc5

v0.8.5rc4

v0.8.5rc3

v0.8.5rc2

v0.8.5-rc

v0.8.4-rc

v0.8.3-rc

v0.8.2-rc

v0.8.0-rc

v0.7.2

v0.7.1

v0.7.0

v0.6.2

v0.6.0

v0.5.6

v0.5.4

v0.5.3

v0.4.24

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.9

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.0

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

expected: maybe someday

  

expected: next release

  

expected: release after next

  

expected: unlikely unless contributed

  

good first ticket

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

scope: all users

  

scope: windows users

  

size: easy

  

size: hard

  

size: medium

  

size: medium

  

status: backlog

  

status: blocked

  

status: done

  

status: idea-phase

  

status: needs followup

  

status: wip

  

status: wontfix

  

touches: API/CLI/Spec

  

touches: configuration

  

touches: data/schema/architecture

  

touches: dependencies/packaging

  

touches: docs

  

touches: js

  

touches: views/replayers/html/css

  

why: correctness

  

why: functionality

  

why: performance

  

why: security

No labels

expected: maybe someday

expected: next release

expected: release after next

expected: unlikely unless contributed

good first ticket

help wanted

pull-request

scope: all users

scope: windows users

size: easy

size: hard

size: medium

size: medium

status: backlog

status: blocked

status: done

status: idea-phase

status: needs followup

status: wip

status: wontfix

touches: API/CLI/Spec

touches: configuration

touches: data/schema/architecture

touches: dependencies/packaging

touches: docs

touches: js

touches: views/replayers/html/css

why: correctness

why: functionality

why: performance

why: security

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ArchiveBox#3477

No description provided.