At least the Nginx service binds to 0.0.0.0:80/0.0.0.0:443. This allows for access by other devices on the network that know the hostname/IP of your machine. This can lead to information leakage in situations where network configuration isn’t controlled or is simply a violation of security policies for a company.
Note that I understand this may be seen as a feature, but I need an option or way to disable it in order to meet security requirements.
- Does this happen for all sites in Local, or just one in particular?
All sites unless you manually edit the nginx configuration. I have not tested/checked other services to see if they also bind to 0.0.0.0
- Are you able to create a new, plain WordPress site in Local and access it in a Browser?
- Create site as you normally would, confirm that it works on your local system
- Add a hosts entry on a separate system that is attached to the same network. Use the IP address of the target machine running Local
- You can now access the site from a machine other than the one running Local
- Which version of Local is being used?
What Operating System (OS) and OS version is being used?
Host machine is macOS Ventura, latest patch release. Guest machines can be anything
Attach the Local Log. See this Help Doc for instructions on how to do so:
- Likely not relevant here but can provide if absolutely required
Local does a pretty good job of scrubbing private info from the logs and the errors it produces, however there’s always the possibility that something private can come through. Because these are public forums, always review the screenshots you are sharing to make sure there isn’t private info like passwords being displayed.
Bumping this to see if anyone has any ideas, ty
Hey @dustinrue - thanks for reaching out! And apologies for the delay in getting back to you.
This makes sense to me; you mentioned manually editing your nginix configuration. I imagine you were doing something like:
- Navigate to
- Set the server
listens to something like:
listen 127.0.0.1:80 default_server;
listen [::1]:80 default_server;
Does that seem right? Or if you try that, does that accomplish what you’re after?
I’ll most likely move this to our feature request category, as Local is working as expected right now but this would be a great enhancement. How would you imagine updating this setting? Would you expect this to live in Local’s Preferences or somewhere else?
It feels like the sort of thing that should be an advanced setting. Maybe under router mode named “Prevent local network access” with description along the lines of “When enabled local sites will only be accessible from this computer. Disable to allow other devices on the network to access sites”
The engineering team had the chance to review this morning and look at our options. Like you mentioned, originally this was a “feature, not a bug” scenario - there are users who want/expect this sort of functionality out of the box. I suppose it is a matter of how each person defines “local”
Being able to toggle it makes sense. Is this something you explored setting at the firewall level? In an org/agency setting, is there a benefit to having this within Local as opposed to at that higher level? We were thinking about other apps that might potentially be using these same ports, for example
Documenting how to configure a firewall for this scenario is one thing, knowing the user did it correctly and is testing it correctly is another. Whereas having a toggle in the app that prevents it instills a lot more confidence that it is working as expected.
I am thinking of the WFM person visiting a coffee shop. Probably don’t need or even want a firewall at home but having this specific app not exposing anything is nice to have.
I also cast a vote for adding this feature into Local. Developer laptops typically wander across multiple networks, and it’s really easy for one to end up on some Wi-Fi network with a public IP address assigned while still running a Local site. For example, my university assigns public IP addresses on its campus Wi-Fi network.
Can I also request that the backends (one for each site) also only listen on localhost? The main nginx config for the router only needs them accessible on
127.0.0.1 for the
proxy_pass, so there’s no need for them to listen on all interfaces.
These will be in separate config files for each site, e.g.:
Listen 1000x =>
listen 1000x; =>
I did note that manually editing the listen directive in each site’s config doesn’t work, since Local overwrites any changes each time a site is started.
Thanks so much, we’re planning on migrating over to Local instead of a vagrant+virtualbox workflow, loving it so far!
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.