Selfhost Shaarli

Last Update:

Author: Christoph Stoettner
Read in about 3 min · 436 words

Fountain pen and a notebook

Photo by Aaron Burden | Unsplash

I use Shaarli since ages to collect links, notes and bookmarks. I worked a little bit on that collection and started to share some as public lists .

On my mobile device I bought a license for Stakali , it fits perfectly into my workflows. I often search on my mobile and share the link through Stakali to my desktop. Stakali just needs the URL and the API Key of Shaarli, but I got errors. So I analyzed the source and app with:

Stakali has an option to disable SSL Key checking, so no need to use any more tools to intercept the traffic. On Android you normally have to disable SSL Pinning. Here is a good start to learn how to do this .

Even with enabled API it didn’t work. First I used the default .htaccess, but got Error 500 accessing the api.


# Disable directory listing
Options -Indexes

RewriteEngine On

# Prevent accessing subdirectories not managed by SCM
RewriteRule ^(.git|doxygen|vendor) - [F]

RewriteCond %{HTTP:Authorization} ^(.+)
RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]

RewriteBase /           
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [L]
  • Add this line

With RewriteBase the Error 500 accessing the API disappeared, but logon with mobile still wasn’t possible.

I enabled the debug mode and wrote a little php script to check the headers and environment variables:


  "dev": {
    "debug": true
  • Add a new element to the json to enable debugging

My hoster uses FastCGI with PHP and this strips the Authorization header, but the RewriteRule RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT] should add an environment variable HTTP_AUTHORIZATION with the content of the Authorization header.

This does not work for me, but I found a workaround:


SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0        
# RewriteCond %{HTTP:Authorization} ^(.+)              
# RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]   
  • add this line

  • comment out

  • comment out

I replaced the RewriteRule with this SetEnvIf directive. Now I found the used Bearer JWT Token when I debugged the access, but Shaarli didn’t accept the token, because the variable was renamed to REDIRECT_HTTP_AUTHORIZATION and Shaarli is not aware of this.

I couldn’t find an easy way to get this working, so I changed the code directly and created a Pull Request . I added the comments to .htaccess to make it easier (just comment out or in the rewrite rules) and application/api/ApiMiddleware.php.

You can see all changes here . Not sure if this all is needed or good, but it works for me. I just added the new environment variable and the application doesn’t run into exceptions any more.

pr shaarli

Add a comment
There was an error sending your comment, please try again.
Thank you!
Your comment has been submitted and will be published once it has been approved.

Your email address will not be published. Required fields are marked with *

Suggested Reading
Aaron Burden: Fountain pen and a notebook

I often get SystemOut.log files from customers or friends to help them analyzing a problem. Often it is complicated to find the right server and application which generates the real error, because most WebSphere Applications (like IBM Connections or Sametime) are installed on different Application Servers and Nodes. So you need to open multiple large files in your editor, scroll each to the needed timestamps and check the lines before for possible error messages.

Last Update:
Read in about 5 min
Card image cap

Last week I attended FrOSCon[], a yearly conference about Free and Open-Source software, organized by the computer science department of the University of Applied Sciences Bonn-Rhein-Sieg.

Created: Read in about 2 min
Aaron Burden: Fountain pen and a notebook

For GPN19 I prepared a second talk on Documentation with any Editor . The talk was based on a previous one from Froscon 13, but the pipeline tooling changed.

This time there was a technical issue during the recording and so there are only the slides available, but you can still watch the video of the Froscon talk: Froscon 13: Documentation with any Editor

Last Update:
Read in about 8 min