Skip to content

[ISSUE #359] Fix Docker starts the dashboard page access address is localhost#360

Open
louyongjiu wants to merge 1 commit into
apache:masterfrom
louyongjiu:master
Open

[ISSUE #359] Fix Docker starts the dashboard page access address is localhost#360
louyongjiu wants to merge 1 commit into
apache:masterfrom
louyongjiu:master

Conversation

@louyongjiu

@louyongjiu louyongjiu commented Aug 27, 2025

Copy link
Copy Markdown

Fix Docker starts the dashboard page access address is localhost

@louyongjiu louyongjiu mentioned this pull request Aug 27, 2025
Closed
oss-sentinel-ai
oss-sentinel-ai approved these changes Jun 10, 2026
View reviewed changes

@oss-sentinel-ai oss-sentinel-ai left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: Approved ✅

PR: #360 — [ISSUE #359] Fix Docker starts the dashboard page access address is localhost
Type: Bug fix (3 files, +25/-13)

Assessment

Fixes the dashboard access address issue when running in Docker. Changes include:

  • Updated remoteApi.js to handle Docker environment correctly
  • Modified SecurityConfig.java for proper address binding
  • Updated application.yml configuration

Verdict

✅ Proper fix for Docker deployment address binding.

🤖 Automated review by oss-sentinel-ai

RockteMQ-AI
RockteMQ-AI reviewed Jun 12, 2026
View reviewed changes

@RockteMQ-AI RockteMQ-AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review by github-manager-bot

Summary

Fixes the dashboard access address issue when running in Docker by making the API base URL relative and updating CORS configuration.

Findings

  • [Critical] SecurityConfig.java:60 — Changing setAllowedOrigins(Arrays.asList("http://localhost:3003")) to setAllowedOriginPatterns(Arrays.asList("*")) combined with setAllowCredentials(true) is a security risk. This allows any origin to make credentialed cross-origin requests to the dashboard API. In a production deployment, this could enable CSRF-like attacks. Consider:

    • Making the allowed origins configurable via application.yml (e.g., rocketmq.dashboard.allowed-origins)
    • Or at minimum restricting to the actual deployment domain pattern

  • [Warning] remoteApi.js — Replacing new URL() + url.searchParams.append() with manual string concatenation (url += '?date=' + date) is a regression. The original URLSearchParams approach properly handles URL encoding of special characters. The new code does not encode parameters in queryBrokerHisData (line 831), which could break with date values containing special characters. The queryTopicHisData and queryBrokerConfig methods do use encodeURIComponent, but the inconsistency is concerning.

  • [Info] remoteApi.js:19 — Changing apiBaseUrl from 'http://localhost:8082' to '' (empty/relative) is the correct fix for Docker deployments where the frontend and backend share the same host. This makes the API calls use the current page's origin.

Suggestions

  1. Do not merge with allowedOriginPatterns("*") + allowCredentials(true). Make it configurable or restrict to specific patterns.
  2. Restore URL + searchParams pattern for consistency, or at minimum apply encodeURIComponent uniformly to all query parameters.
  3. Consider adding a dashboard.allowed-origins property in application.yml for deployment flexibility.

Automated review by github-manager-bot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@RockteMQ-AI RockteMQ-AI RockteMQ-AI left review comments

@oss-sentinel-ai oss-sentinel-ai oss-sentinel-ai approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@louyongjiu @oss-sentinel-ai @RockteMQ-AI