Selfhost Shaarli

by Christoph Stoettner
Read in about 3 min · (words)

Fountain pen and a notebook

Photo by Aaron Burden | Unsplash

I use Shaarli since ages to collect links, notes and bookmarks. I worked a little bit on that collection and started to share some as public lists.

On my mobile device I bought a license for Stakali, it fits perfectly into my workflows. I often search on my mobile and share the link through Stakali to my desktop. Stakali just needs the URL and the API Key of Shaarli, but I got errors. So I analyzed the source and app with:

Stakali has an option to disable SSL Key checking, so no need to use any more tools to intercept the traffic. On Android you normally have to disable SSL Pinning. Here is a good start to learn how to do this.

Even with enabled API it didn’t work. First I used the default .htaccess, but got Error 500 accessing the api.


# Disable directory listing
Options -Indexes

RewriteEngine On

# Prevent accessing subdirectories not managed by SCM
RewriteRule ^(.git|doxygen|vendor) - [F]

RewriteCond %{HTTP:Authorization} ^(.+)
RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]

RewriteBase /           (1)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [L]
1Add this line

With RewriteBase the Error 500 accessing the API disappeared, but logon with mobile still wasn’t possible.

I enabled the debug mode and wrote a little php script to check the headers and environment variables:


  },        (1)
  "dev": {
    "debug": true
1Add a new element to the json to enable debugging

My hoster uses FastCGI with PHP and this strips the Authorization header, but the RewriteRule RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT] should add an environment variable HTTP_AUTHORIZATION with the content of the Authorization header.

This does not work for me, but I found a workaround:


SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0        (1)
# RewriteCond %{HTTP:Authorization} ^(.+)              (2)
# RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]   (3)
1add this line
2comment out
3comment out

I replaced the RewriteRule with this SetEnvIf directive. Now I found the used Bearer JWT Token when I debugged the access, but Shaarli didn’t accept the token, because the variable was renamed to REDIRECT_HTTP_AUTHORIZATION and Shaarli is not aware of this.

I couldn’t find an easy way to get this working, so I changed the code directly and created a Pull Request. I added the comments to .htaccess to make it easier (just comment out or in the rewrite rules) and application/api/ApiMiddleware.php.

You can see all changes here. Not sure if this all is needed or good, but it works for me. I just added the new environment variable and the application doesn’t run into exceptions any more.

pr shaarli
Add a comment
There was an error sending your comment, please try again.
Thank you!
Your comment has been submitted and will be published once it has been approved.

Your email address will not be published. Required fields are marked with *