cleanup and tested on alpine/debian

php/auth.php

@@ -1,10 +1,8 @@
-<?php $LOG = '/var/log/lighttpd/error.log';
-if (isset($_ENV['piphplog'])) {
-    $LOG = getenv('piphplog');
-}
+<?php
+$ERRORLOG = getenv('PHP_ERROR_LOG');
 
 function pi_log($message) {
-    error_log(date('Y-m-d H:i:s') . ': ' . $message . "\n", 3, $GLOBALS['LOG']);
+    error_log(date('Y-m-d H:i:s') . ': ' . $message . "\n", 3, $GLOBALS['ERRORLOG']);
 }
 
 function log_and_die($message) {
@@ -18,13 +16,19 @@ if(!isset($_POST['domain'], $_POST['list'], $_POST['token'])) {
 
 $AUTHORIZED_HOSTNAMES = [
     'http://' . $_SERVER['SERVER_ADDR'],
-    'http://' . 'pi.hole',
-    'http://' . 'localhost'
+    'http://pi.hole',
+    'http://localhost'
 ];
 
-if (isset($_ENV['VIRTUAL_HOST'])) {
-    array_push($AUTHORIZED_HOSTNAMES, 'http://' . $_ENV['VIRTUAL_HOST']);
-}
+# Allow user set virtual hostnames
+$virtual_host = getenv('VIRTUAL_HOST');
+if (! empty($virtual_host))
+    array_push($AUTHORIZED_HOSTNAMES, 'http://' . $virtual_host);
+
+# For docker container's host IP, SERVER_ADDR will be docker0 interface ip
+$server_ip = getenv('ServerIP');
+if (! empty($server_ip))
+    array_push($AUTHORIZED_HOSTNAMES, 'http://' . $server_ip);
 
 // Check CORS
 if(isset($_SERVER['HTTP_ORIGIN'])) {
@@ -36,9 +40,9 @@ if(isset($_SERVER['HTTP_ORIGIN'])) {
     header("Access-Control-Allow-Origin: $CORS_ALLOW_ORIGIN");
 } else {
     pi_log("CORS skipped, unknown HTTP_ORIGIN");
+    //pi_log("CORS allowed: " . join(',', $AUTHORIZED_HOSTNAMES));
 }
 
-
 // Otherwise probably same origin... out of the scope of CORS
 session_start();
 
@@ -46,4 +50,5 @@ session_start();
 if(!isset($_SESSION['token'], $_POST['token']) || !hash_equals($_SESSION['token'], $_POST['token'])) {
     log_and_die("Wrong token");
 }
+
 ?>