[GH-ISSUE #1796] [v7.0.y] Error 500 "Untrusted Host" until setting APP_URL #995

New issue

Closed

opened 2026-02-26 02:34:52 +03:00 by kerem · 15 comments

kerem commented 2026-02-26 02:34:52 +03:00

Owner

Copy link

Originally created by @MichaIng on GitHub (Jul 16, 2024).
Original GitHub issue: https://github.com/koel/koel/issues/1796

Describe the bug
Prior to Koel v7.0.0, it was not needed to set APP_URL to access the web interface. Since v7.0.0 (just tested also with v7.0.6), if the host in APP_URL does not match the host of the client (protocol/scheme and port do not matter), the access fails with this exception:

Click to expend

Illuminate\View\ViewException:
Untrusted Host "192.168.1.24". (View: /mnt/dietpi_userdata/koel/resources/views/index.blade.php)

  at /mnt/dietpi_userdata/koel/vendor/symfony/http-foundation/Request.php:1174
  at Illuminate\View\Engines\CompilerEngine->handleViewException()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/View/Engines/PhpEngine.php:60)
  at Illuminate\View\Engines\PhpEngine->evaluatePath()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/View/Engines/CompilerEngine.php:72)
  at Illuminate\View\Engines\CompilerEngine->get()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/View/View.php:207)
  at Illuminate\View\View->getContents()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/View/View.php:190)
  at Illuminate\View\View->renderContents()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/View/View.php:159)
  at Illuminate\View\View->render()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Http/Response.php:69)
  at Illuminate\Http\Response->setContent()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Http/Response.php:35)
  at Illuminate\Http\Response->__construct()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:918)
  at Illuminate\Routing\Router::toResponse()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:885)
  at Illuminate\Routing\Router->prepareResponse()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:805)
  at Illuminate\Routing\Router->Illuminate\Routing\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:144)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Middleware/SubstituteBindings.php:50)
  at Illuminate\Routing\Middleware\SubstituteBindings->handle()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php:78)
  at Illuminate\Foundation\Http\Middleware\VerifyCsrfToken->handle()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php:49)
  at Illuminate\View\Middleware\ShareErrorsFromSession->handle()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php:121)
  at Illuminate\Session\Middleware\StartSession->handleStatefulRequest()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php:64)
  at Illuminate\Session\Middleware\StartSession->handle()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php:37)
  at Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse->handle()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php:67)
  at Illuminate\Cookie\Middleware\EncryptCookies->handle()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:119)
  at Illuminate\Pipeline\Pipeline->then()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:805)
  at Illuminate\Routing\Router->runRouteWithinStack()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:784)
  at Illuminate\Routing\Router->runRoute()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:748)
  at Illuminate\Routing\Router->dispatchToRoute()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:737)
  at Illuminate\Routing\Router->dispatch()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:200)
  at Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:144)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustHosts.php:48)
  at Illuminate\Http\Middleware\TrustHosts->handle()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/app/Http/Middleware/ForceHttps.php:28)
  at App\Http\Middleware\ForceHttps->handle()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php:21)
  at Illuminate\Foundation\Http\Middleware\TransformsRequest->handle()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php:40)
  at Illuminate\Foundation\Http\Middleware\TrimStrings->handle()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php:27)
  at Illuminate\Foundation\Http\Middleware\ValidatePostSize->handle()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php:99)
  at Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance->handle()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183)
  at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:119)
  at Illuminate\Pipeline\Pipeline->then()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:175)
  at Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter()
     (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:144)
  at Illuminate\Foundation\Http\Kernel->handle()
     (/mnt/dietpi_userdata/koel/public/index.php:56)
  at require_once('/mnt/dietpi_userdata/koel/public/index.php')
     (/mnt/dietpi_userdata/koel/server.php:19)     

I guess it is not even related to a change in Koel itself, but probably a change in Laravel, in whether/how trusted hosts are checked based on APP_URL. Either replacing localhost with the IP or hostname you use solves it, or switching to forced HTTPS. When doing the latter, the middleware adds the client host to the list of trusted hosts automatically, basically disabling the Laravel trusted host feature: https://github.com/koel/koel/blob/master/app/Http/Middleware/ForceHttps.php

The problem with APP_URL is that it allows to set a single host only, while often multiple hostnames and IPs need to be accepted, especially when running Koel behind a proxy, or just for CLI vs LAN access etc. I guess there is a way to pass a list of multiple trusted hosts, probably even a native Laravel environment variable. I know this from other software like Nextcloud, where one can define a list, including * as wildcard.

And not everyone can or wants to use HTTPS immediately, especially when aiming to setup Koel within LAN first, aiming to access via proxy, open port, public hostname etc later, or when it is just for development/testing purpose.

To reproduce
Steps to reproduce the behavior:

1. Install Koel with pre-compiled archive: https://docs.koel.dev/guide/getting-started#using-a-pre-compiled-archive
2. Use .env.example and configure the database (MariaDB) only
3. Try to access the web interface from a browser on another machine within the same LAN
4. See HTTP error 500 "Untrusted Host"
5. Replace localhost in APP_URL with IP or hostname used to access from the browser
6. Reload web UI
7. Login is now possible, but several UI elements missing, but probably both issues are somehow related, I'll create a separate issue in case.

Expected behavior
Login should at best work by default. Alternatively, there should be a documented way to configure multiple trusted hosts for Koel.

Screenshots
If applicable, add screenshots to help explain your problem.

Environment

• Koel version v7.0.0 - v7.0.6
• OS: Debian Bookworm
• Browser Opera (Chromium) and others
• PHP version v8.2
• Node version not installed as pre-compiled archive was used

Additional context
Probably the aim with this PR was somehow addressed again? #1706
But I could not find a related change, hence my guess that it has to do with the Laravel update.

Originally created by @MichaIng on GitHub (Jul 16, 2024). Original GitHub issue: https://github.com/koel/koel/issues/1796 **Describe the bug** Prior to Koel v7.0.0, it was not needed to set `APP_URL` to access the web interface. Since v7.0.0 (just tested also with v7.0.6), if the host in `APP_URL` does not match the host of the client (protocol/scheme and port do not matter), the access fails with this exception: <details> <summary>Click to expend</summary> ``` Illuminate\View\ViewException: Untrusted Host "192.168.1.24". (View: /mnt/dietpi_userdata/koel/resources/views/index.blade.php) at /mnt/dietpi_userdata/koel/vendor/symfony/http-foundation/Request.php:1174 at Illuminate\View\Engines\CompilerEngine->handleViewException() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/View/Engines/PhpEngine.php:60) at Illuminate\View\Engines\PhpEngine->evaluatePath() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/View/Engines/CompilerEngine.php:72) at Illuminate\View\Engines\CompilerEngine->get() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/View/View.php:207) at Illuminate\View\View->getContents() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/View/View.php:190) at Illuminate\View\View->renderContents() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/View/View.php:159) at Illuminate\View\View->render() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Http/Response.php:69) at Illuminate\Http\Response->setContent() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Http/Response.php:35) at Illuminate\Http\Response->__construct() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:918) at Illuminate\Routing\Router::toResponse() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:885) at Illuminate\Routing\Router->prepareResponse() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:805) at Illuminate\Routing\Router->Illuminate\Routing\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:144) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Middleware/SubstituteBindings.php:50) at Illuminate\Routing\Middleware\SubstituteBindings->handle() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php:78) at Illuminate\Foundation\Http\Middleware\VerifyCsrfToken->handle() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php:49) at Illuminate\View\Middleware\ShareErrorsFromSession->handle() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php:121) at Illuminate\Session\Middleware\StartSession->handleStatefulRequest() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php:64) at Illuminate\Session\Middleware\StartSession->handle() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php:37) at Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse->handle() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php:67) at Illuminate\Cookie\Middleware\EncryptCookies->handle() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:119) at Illuminate\Pipeline\Pipeline->then() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:805) at Illuminate\Routing\Router->runRouteWithinStack() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:784) at Illuminate\Routing\Router->runRoute() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:748) at Illuminate\Routing\Router->dispatchToRoute() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Routing/Router.php:737) at Illuminate\Routing\Router->dispatch() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:200) at Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:144) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustHosts.php:48) at Illuminate\Http\Middleware\TrustHosts->handle() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/app/Http/Middleware/ForceHttps.php:28) at App\Http\Middleware\ForceHttps->handle() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php:21) at Illuminate\Foundation\Http\Middleware\TransformsRequest->handle() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php:40) at Illuminate\Foundation\Http\Middleware\TrimStrings->handle() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php:27) at Illuminate\Foundation\Http\Middleware\ValidatePostSize->handle() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php:99) at Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance->handle() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:183) at Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:119) at Illuminate\Pipeline\Pipeline->then() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:175) at Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter() (/mnt/dietpi_userdata/koel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:144) at Illuminate\Foundation\Http\Kernel->handle() (/mnt/dietpi_userdata/koel/public/index.php:56) at require_once('/mnt/dietpi_userdata/koel/public/index.php') (/mnt/dietpi_userdata/koel/server.php:19) ``` </details> I guess it is not even related to a change in Koel itself, but probably a change in Laravel, in whether/how trusted hosts are checked based on `APP_URL`. Either replacing `localhost` with the IP or hostname you use solves it, or switching to forced HTTPS. When doing the latter, the middleware adds the client host to the list of trusted hosts automatically, basically disabling the Laravel trusted host feature: https://github.com/koel/koel/blob/master/app/Http/Middleware/ForceHttps.php The problem with `APP_URL` is that it allows to set a single host only, while often multiple hostnames and IPs need to be accepted, especially when running Koel behind a proxy, or just for CLI vs LAN access etc. I guess there is a way to pass a list of multiple trusted hosts, probably even a native Laravel environment variable. I know this from other software like Nextcloud, where one can define a list, including `*` as wildcard. And not everyone can or wants to use HTTPS immediately, especially when aiming to setup Koel within LAN first, aiming to access via proxy, open port, public hostname etc later, or when it is just for development/testing purpose. **To reproduce** Steps to reproduce the behavior: 1. Install Koel with pre-compiled archive: https://docs.koel.dev/guide/getting-started#using-a-pre-compiled-archive 2. Use `.env.example` and configure the database (MariaDB) only 3. Try to access the web interface from a browser on another machine within the same LAN 4. See HTTP error 500 "Untrusted Host" 5. Replace `localhost` in `APP_URL` with IP or hostname used to access from the browser 6. Reload web UI 7. Login is now possible, _but several UI elements missing, but probably both issues are somehow related, I'll create a separate issue in case._ **Expected behavior** Login should at best work by default. Alternatively, there should be a documented way to configure multiple trusted hosts for Koel. **Screenshots** If applicable, add screenshots to help explain your problem. **Environment** - Koel version v7.0.0 - v7.0.6 - OS: Debian Bookworm - Browser Opera (Chromium) and others - PHP version v8.2 - Node version not installed as pre-compiled archive was used **Additional context** Probably the aim with this PR was somehow addressed again? #1706 But I could not find a related change, hence my guess that it has to do with the Laravel update.

kerem closed this issue 2026-02-26 02:34:52 +03:00

kerem commented 2026-02-26 02:34:52 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Jul 16, 2024):

What's your suggestion? This is a change from Laravel, something beyond Koel's control.

<!-- gh-comment-id:2231543870 --> @phanan commented on GitHub (Jul 16, 2024): What's your suggestion? This is a change from Laravel, something beyond Koel's control.

kerem commented 2026-02-26 02:34:52 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Jul 16, 2024):

@MichaIng I found this in Laravel 10.x doc (Koel's version): https://laravel.com/docs/10.x/requests#configuring-trusted-hosts. Does it fix the issue?

<!-- gh-comment-id:2231578326 --> @phanan commented on GitHub (Jul 16, 2024): @MichaIng I found this in Laravel 10.x doc (Koel's version): https://laravel.com/docs/10.x/requests#configuring-trusted-hosts. Does it fix the issue?

kerem commented 2026-02-26 02:34:52 +03:00

Author

Owner

Copy link

@MichaIng commented on GitHub (Jul 16, 2024):

As yes, that is it. Interesting that is says it is disabled/commented by default. In Koel it is enabled by default since this commit, which is the issue.

Adding the correct host/IP to the array in app/Http/Middleware/TrustHosts.php solves the issue, and to disable it, one can comment the $this->allSubdomainsOfApplicationUrl(), line in app/Http/Middleware/TrustHosts.php, to return an empty array. This class is imported across a bunch of other scripts, like the one to enforce HTTPS, so it cannot be easily removed completely, and it is a good idea to have it easily available anyway.

I wonder whether there is a way to define an array config key in .env, and add that one to app/Http/Middleware/TrustHosts.php instead. It could then be empty by default, so that all hosts are accepted, but users can easily configure it.

Indeed this works:

class TrustHosts extends IlluminateTrustHost
{
    /**
     * @return array<int, string>
     */
    public function hosts(): array
    {
        return explode(',', env('TRUSTED_HOSTS'));
    }
}

Now I can define TRUSTED_HOSTS in .env. If it is not defined or empty, access works regardless which host is used. If defined as comma-separated list of hosts, it works with those, and no other, e.g.:

TRUSTED_HOSTS=localhost,192.168.1.24

Nowadays, configs should be accessed differently, but requires another change then: https://stackoverflow.com/a/42393294

<!-- gh-comment-id:2231725725 --> @MichaIng commented on GitHub (Jul 16, 2024): As yes, that is it. Interesting that is says it is disabled/commented by default. In Koel it is enabled by default since [this commit](https://github.com/koel/koel/commit/e969549), which is the issue. Adding the correct host/IP to the array in `app/Http/Middleware/TrustHosts.php` solves the issue, and to disable it, one can comment the `$this->allSubdomainsOfApplicationUrl(),` line in `app/Http/Middleware/TrustHosts.php`, to return an empty array. This class is imported across a bunch of other scripts, like the one to enforce HTTPS, so it cannot be easily removed completely, and it is a good idea to have it easily available anyway. I wonder whether there is a way to define an array config key in `.env`, and add that one to `app/Http/Middleware/TrustHosts.php` instead. It could then be empty by default, so that all hosts are accepted, but users can easily configure it. Indeed this works: ```php class TrustHosts extends IlluminateTrustHost { /** * @return array<int, string> */ public function hosts(): array { return explode(',', env('TRUSTED_HOSTS')); } } ``` Now I can define `TRUSTED_HOSTS` in `.env`. If it is not defined or empty, access works regardless which host is used. If defined as comma-separated list of hosts, it works with those, and no other, e.g.: ```sh TRUSTED_HOSTS=localhost,192.168.1.24 ``` Nowadays, configs should be accessed differently, but requires another change then: https://stackoverflow.com/a/42393294

kerem commented 2026-02-26 02:34:52 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Jul 16, 2024):

We can go with.env, exactly like how you suggested:

#.env
TRUSTED_HOSTS=localhost,192.168.1.24

// config/app.php
return [
    // ...
    'trusted_hosts' => explode(',', env('TRUSTED_HOSTS', '')),
    // ...
];

class TrustHosts extends IlluminateTrustHost 
{
    public function hosts(): array
    {
        return config('app.trusted_hosts');
    }
}

Would you want to work on a PR?

<!-- gh-comment-id:2231745659 --> @phanan commented on GitHub (Jul 16, 2024): We can go with`.env`, exactly like how you suggested: ``` #.env TRUSTED_HOSTS=localhost,192.168.1.24 ``` ```php // config/app.php return [ // ... 'trusted_hosts' => explode(',', env('TRUSTED_HOSTS', '')), // ... ]; ``` ```php class TrustHosts extends IlluminateTrustHost { public function hosts(): array { return config('app.trusted_hosts'); } } ``` Would you want to work on a PR?

kerem commented 2026-02-26 02:34:52 +03:00

Author

Owner

Copy link

@MichaIng commented on GitHub (Jul 16, 2024):

This won't work: If APP_URL is defined, only the hostname defined in it (and all its sub domains) will be accepted. That way the list can be expanded, but by default access will still fail. I would suggest to have things working by default, and use trusted hosts entirely as optional feature, as intended by Laravel.

<!-- gh-comment-id:2231749070 --> @MichaIng commented on GitHub (Jul 16, 2024): This won't work: If `APP_URL` is defined, only the hostname defined in it (and all its sub domains) will be accepted. That way the list can be expanded, but by default access will still fail. I would suggest to have things working by default, and use trusted hosts entirely as optional feature, as intended by Laravel.

kerem commented 2026-02-26 02:34:52 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Jul 16, 2024):

You're right, this should be opt-in, not opt-out. How about the edited version?

<!-- gh-comment-id:2231751139 --> @phanan commented on GitHub (Jul 16, 2024): You're right, this should be opt-in, not opt-out. How about the edited version?

kerem commented 2026-02-26 02:34:52 +03:00

Author

Owner

Copy link

@MichaIng commented on GitHub (Jul 16, 2024):

Let me quickly test it, but that should work. Good to use the config this way with config() as intended 👍.

<!-- gh-comment-id:2231752899 --> @MichaIng commented on GitHub (Jul 16, 2024): Let me quickly test it, but that should work. Good to use the config this way with `config()` as intended 👍.

kerem commented 2026-02-26 02:34:52 +03:00

Author

Owner

Copy link

@MichaIng commented on GitHub (Jul 16, 2024):

Works perfectly fine, also with all variants: undefined, defined as empty string, containing the used host, not containing the used host (then access fails as intended).

EDIT: Btw, the issue with missing GUI elements I noted OP has been solved with one of the recent releases. Was there until v7.0.2, IIRC, but forgot to test this with the latest version.

<!-- gh-comment-id:2231759112 --> @MichaIng commented on GitHub (Jul 16, 2024): Works perfectly fine, also with all variants: undefined, defined as empty string, containing the used host, not containing the used host (then access fails as intended). _EDIT: Btw, the issue with missing GUI elements I noted OP has been solved with one of the recent releases. Was there until v7.0.2, IIRC, but forgot to test this with the latest version._

kerem commented 2026-02-26 02:34:52 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Jul 16, 2024):

Great! Care to send the PR over?

<!-- gh-comment-id:2231768135 --> @phanan commented on GitHub (Jul 16, 2024): Great! Care to send the PR over?

kerem commented 2026-02-26 02:34:53 +03:00

Author

Owner

Copy link

@MichaIng commented on GitHub (Jul 16, 2024):

Will do so. But probably tomorrow, as it is already late at night here 😴.

<!-- gh-comment-id:2231770530 --> @MichaIng commented on GitHub (Jul 16, 2024): Will do so. But probably tomorrow, as it is already late at night here 😴.

kerem commented 2026-02-26 02:34:53 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Jul 16, 2024):

Of course. When you do, please tag me.

<!-- gh-comment-id:2231771934 --> @phanan commented on GitHub (Jul 16, 2024): Of course. When you do, please tag me.

kerem commented 2026-02-26 02:34:53 +03:00

Author

Owner

Copy link

@MichaIng commented on GitHub (Jul 16, 2024):

PR is up: #1797
My concentration was still enough, hopefully error-free 😄. Will test it again tomorrow with this exact diff.

<!-- gh-comment-id:2231816980 --> @MichaIng commented on GitHub (Jul 16, 2024): PR is up: #1797 My concentration was still enough, hopefully error-free 😄. Will test it again tomorrow with this exact diff.

kerem commented 2026-02-26 02:34:53 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Jul 17, 2024):

Released in v7.0.8. Thanks for reporting and fixing.
Btw @MichaIng Where should I discuss this remark?

<!-- gh-comment-id:2232659892 --> @phanan commented on GitHub (Jul 17, 2024): Released in [v7.0.8](https://github.com/koel/koel/releases/tag/v7.0.8). Thanks for reporting and fixing. Btw @MichaIng Where should I discuss this remark? 

kerem commented 2026-02-26 02:34:53 +03:00

Author

Owner

Copy link

@MichaIng commented on GitHub (Jul 17, 2024):

🙈 No need to discuss, I'll remove this pros/cons. It is from several years ago, not done by me, and I am no fans or such pros/cons anyway, which are based on things which change, personal opinion or things which cannot be easily compared. If someone writes a blog post after comparing a bunch of web UI music streamers, with particular timestamp and transparent author, fine. But on an overview page like this it has no place. The "bulky" installation note e.g. might be from a time where Node.js was installed and frontend compiled, while we use the pre-compiled archive now. Since the builtin webserver is used, its base installation is even lighter than most other PHP applications we have install options for, while of course a webserver or proxy in front of it still makes sense, especially when running more web UI apps in the system.

<!-- gh-comment-id:2233199643 --> @MichaIng commented on GitHub (Jul 17, 2024): 🙈 No need to discuss, I'll remove this pros/cons. It is from several years ago, not done by me, and I am no fans or such pros/cons anyway, which are based on things which change, personal opinion or things which cannot be easily compared. If someone writes a blog post after comparing a bunch of web UI music streamers, with particular timestamp and transparent author, fine. But on an overview page like this it has no place. The "bulky" installation note e.g. might be from a time where Node.js was installed and frontend compiled, while we use the pre-compiled archive now. Since the builtin webserver is used, its base installation is even lighter than most other PHP applications we have install options for, while of course a webserver or proxy in front of it still makes sense, especially when running more web UI apps in the system.

kerem commented 2026-02-26 02:34:53 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Jul 17, 2024):

Amazing, thanks a lot @MichaIng!

<!-- gh-comment-id:2233207736 --> @phanan commented on GitHub (Jul 17, 2024): Amazing, thanks a lot @MichaIng!

kerem referenced this issue 2026-02-26 03:31:16 +03:00

[PR #994] [CLOSED] Bump laravel/framework from 5.7.28 to 5.8.22 #1505

kerem referenced this issue 2026-02-26 03:31:16 +03:00

[PR #995] [MERGED] Apply fixes from StyleCI #1506

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/composer/phpunit/phpunit-12.5.22

dependabot/npm_and_yarn/dompurify-3.4.0

dependabot/npm_and_yarn/vite-plus-0.1.17

dependabot/composer/phpseclib/phpseclib-3.0.51

release

1889-duplicate-upload-detection

test/home-screen-empty-to-content

fix/exclude-songless-albums-from-recently-added

refactor/laravel-prompts

fix/wma-cover-art-exception

fix/remove-redundant-seed-step

chore/upgrade-laravel-13

chore/upgrade-vue-3.5.29

test/phase-7-components

dbg-2142

demo-fix

debug-mysql

trusthosts

seek

fix-equalizer

sentry

invite-user

remove-v6-obsolete

fix/song-list

feat/paths-filter

fix/home

fix/footer

feat/progressive

php81

dev/public-playlists

cy

feat/l7

dependabot/composer/pusher/pusher-php-server-4.1.4

dependabot/composer/laravel/framework-5.8.38

dependabot/composer/jackiedo/dotenv-editor-1.1.1

renovate/pin-dependencies

actions

api-doc

feat/recently-played

fix-tests

fix-cover-page

upload

stylejs-196

compilation

vuex

android-notif

nojquery

demo

vue2

2.0

1.1

v9.1.1

latest

v9.1.0

v9.0.0

v8.3.1

v8.3.0

v8.2.0

v8.1.0

v8.0.0

v7.15.1

v7.15.0

v7.14.0

v7.13.0

v7.12.0

v7.11.0

v7.10.4

v7.10.3

v7.10.2

v7.10.1

v7.10.0

v7.9.0

v7.8.1

v7.8.0

v7.7.1

v7.7.0

v7.6.3

v7.6.2

v7.6.1

v7.6.0

v7.5.2

v7.5.1

v7.5.0

v7.4.2

v7.4.1

v7.4.0

v7.3.1

v7.3.0

v7.2.2

v7.2.1

v7.2.0

v7.1.0

v7.0.12

v7.0.11

v7.0.10

v7.0.9

v7.0.8

v7.0.7

v7.0.6

v7.0.5

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v6.12.1

v6.12.0

v6.11.5

v6.11.4

v6.11.3

v6.11.2

v6.11.1

v6.11.0

v6.10.0

v6.9.0

v6.8.5

v6.8.4

v6.8.3

v6.8.2

v6.8.1

v6.8.0

v6.7.5

v6.7.4

v6.7.3

v6.7.2

v6.7.1

v6.7.0

v6.6.0

v6.5.3

v6.5.2

v6.5.1

v6.5.0

v6.4.3

v6.4.2

v6.4.1

v6.4.0

v6.3.0

v6.2.2

v6.2.1

v6.2.0

v6.1.0

v6.0.6

v6.0.5

v6.0.4

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v0.0.0-beta

v5.1.14

v5.1.13

v5.1.12

v5.1.11

v5.1.10

v5.1.9

v5.1.8

v5.1.7

v5.1.6

v5.1.5

v5.1.4

v5.1.3

v5.1.2

v5.1.1

v5.1.0

v5.0.2

v5.0.1

v5.0.0

v4.4.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.1

v4.1.0

v4.0.0

v3.7.2

v3.7.1

v3.7.0

v3.6.2

v3.6.1

v3.6.0

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.1

v3.4.0

v3.3.1

v3.3.0

v3.2.0

v3.1.1

v3.1.0

v3.0.1

v3.0.0

v2.2.1

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.1.2

v1.1.1

1.0.0-beta

Labels

Clear labels   

Authentication

  

Dependencies

  

Documentation

  

Feature Request

  

Flac

  

Help Wanted

  

Installation/Setup

  

Integration

  

Mobile

  

PR Welcome

  

Pending Release

  

Performance

  

Playlist

  

S3

  

Search

  

Sync

  

[Pri] Low

  

[Pri] Normal

  

[Status] Keep Open

  

[Status] Needs Author Reply

  

[Status] Needs Review

  

[Status] Stale

  

[Status] Will Implement

  

[Type] Blessed

  

[Type] Bug

  

[Type] Duplicate

  

[Type] Enhancement

  

[Type] Help Request

  

[Type] Question

  

[Type] Task

  

pull-request

Mirrored from GitHub Pull Request

No labels

Authentication

Dependencies

Documentation

Feature Request

Flac

Help Wanted

Installation/Setup

Integration

Mobile

PR Welcome

Pending Release

Performance

Playlist

S3

Search

Sync

[Pri] Low

[Pri] Normal

[Status] Keep Open

[Status] Needs Author Reply

[Status] Needs Review

[Status] Stale

[Status] Will Implement

[Type] Blessed

[Type] Bug

[Type] Duplicate

[Type] Enhancement

[Type] Help Request

[Type] Question

[Type] Task

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/koel-koel#995

No description provided.