Doveadm HTTP API and CORS
Peter Chiochetti
pch at myzel.net
Fri Dec 13 21:28:31 EET 2019
While toying around with Doveadmin HTTP api I noticed, there is not much
hype around it. Let's change that.
Doveadmin REST API so to speak provides a web server. When doing /ajax/
requests, modern browsers block that, unless the response comes with a
specific CORS header.
Here how to work around with a proxy:
> # /etc/dovecot/local.conf
> doveadm_allowed_commands = fetch
> doveadm_api_key = secret
> service doveadm {
> inet_listener http {
> port = 8084
> }
> }
> # secret64 = echo -n secret | base64
> # /etc/apache/.../some-site.conf
> ProxyVia Block
> <Location /doveadm/v1>
> RequestHeader set Authorization "X-Dovecot-API secret64"
> ProxyPass http://localhost:8084/doveadm/v1 retry=0 timeout=5
> ProxyPassReverse http://localhost:8084/doveadm/v1
> </Location>
Intranet only this might be good enough, TLS with username/password
Basic-Authentication passthrough might be used for better security.
Shameless plug: taken from
https://gist.github.com/hungerburg/00d582bf1a6bf3c622797bf5e759f75b
--
peter
More information about the dovecot
mailing list