diff --git a/docs/configuration/general.md b/docs/configuration/general.md index 9f10fc790..a6f68982a 100644 --- a/docs/configuration/general.md +++ b/docs/configuration/general.md @@ -64,9 +64,11 @@ protocol: "https" # String. Address to bind the GoToSocial server to. # This can be an IPv4 address or an IPv6 address (surrounded in square brackets), or a hostname. -# Default value will bind to all interfaces. -# You probably won't need to change this unless you're setting GoToSocial up in some fancy way or -# you have specific networking requirements. +# The default value will bind to all interfaces, which makes the server +# accessible by other machines. For most setups there is no need to change this. +# If you are using GoToSocial in a reverse proxy setup with the proxy running on +# the same machine, you will want to set this to "localhost" or an equivalent, +# so that the proxy can't be bypassed. # Examples: ["0.0.0.0", "172.128.0.16", "localhost", "[::]", "[2001:db8::fed1]"] # Default: "0.0.0.0" bind-address: "0.0.0.0" diff --git a/docs/installation_guide/apache-httpd.md b/docs/installation_guide/apache-httpd.md index c6e30b850..acada7c6f 100644 --- a/docs/installation_guide/apache-httpd.md +++ b/docs/installation_guide/apache-httpd.md @@ -44,6 +44,8 @@ sudoedit /gotosocial/config.yaml Then set `letsencrypt-enabled: false`. +If the reverse proxy will be running on the same machine, set the `bind-address` to `"localhost"` so that the GoToSocial server is only accessible via loopback. Otherwise it may be possible to bypass your proxy by connecting to GoToSocial directly, which might be undesirable. + If GoToSocial is already running, restart it. ```bash diff --git a/docs/installation_guide/caddy.md b/docs/installation_guide/caddy.md index 89fb55605..935b811fd 100644 --- a/docs/installation_guide/caddy.md +++ b/docs/installation_guide/caddy.md @@ -49,6 +49,8 @@ In your GoToSocial config turn off Lets Encrypt by setting `letsencrypt-enabled` If you we running GoToSocial on port 443, change the `port` value back to the default `8080`. +If the reverse proxy will be running on the same machine, set the `bind-address` to `"localhost"` so that the GoToSocial server is only accessible via loopback. Otherwise it may be possible to bypass your proxy by connecting to GoToSocial directly, which might be undesirable. + ## Set up Caddy We will configure Caddy 2 to use GoToSocial on our main domain example.org. Since Caddy takes care of obtaining the Lets Encrypt certificate, we only need to configure it properly once. diff --git a/docs/installation_guide/nginx.md b/docs/installation_guide/nginx.md index 7525d6634..6b689faf5 100644 --- a/docs/installation_guide/nginx.md +++ b/docs/installation_guide/nginx.md @@ -38,6 +38,8 @@ In your GoToSocial config turn off letsencrypt by setting `letsencrypt-enabled` If you we running GoToSocial on port 443, change the `port` value back to the default `8080`. +If the reverse proxy will be running on the same machine, set the `bind-address` to `"localhost"` so that the GoToSocial server is only accessible via loopback. Otherwise it may be possible to bypass your proxy by connecting to GoToSocial directly, which might be undesirable. + ## Set up NGINX First we will set up NGINX to serve GoToSocial as unsecured http and then use Certbot to automatically upgrade it to serve https. diff --git a/example/config.yaml b/example/config.yaml index a6294431e..7e02a702d 100644 --- a/example/config.yaml +++ b/example/config.yaml @@ -76,9 +76,11 @@ protocol: "https" # String. Address to bind the GoToSocial server to. # This can be an IPv4 address or an IPv6 address (surrounded in square brackets), or a hostname. -# Default value will bind to all interfaces. -# You probably won't need to change this unless you're setting GoToSocial up in some fancy way or -# you have specific networking requirements. +# The default value will bind to all interfaces, which makes the server +# accessible by other machines. For most setups there is no need to change this. +# If you are using GoToSocial in a reverse proxy setup with the proxy running on +# the same machine, you will want to set this to "localhost" or an equivalent, +# so that the proxy can't be bypassed. # Examples: ["0.0.0.0", "172.128.0.16", "localhost", "[::]", "[2001:db8::fed1]"] # Default: "0.0.0.0" bind-address: "0.0.0.0"