Issue Summary
At least the Nginx service binds to 0.0.0.0:80/0.0.0.0:443. This allows for access by other devices on the network that know the hostname/IP of your machine. This can lead to information leakage in situations where network configuration isn’t controlled or is simply a violation of security policies for a company.
Note that I understand this may be seen as a feature, but I need an option or way to disable it in order to meet security requirements.
Troubleshooting Questions
- Does this happen for all sites in Local, or just one in particular?
All sites unless you manually edit the nginx configuration. I have not tested/checked other services to see if they also bind to 0.0.0.0
- Are you able to create a new, plain WordPress site in Local and access it in a Browser?
Yes
Replication
- Create site as you normally would, confirm that it works on your local system
- Add a hosts entry on a separate system that is attached to the same network. Use the IP address of the target machine running Local
- You can now access the site from a machine other than the one running Local
System Details
- Which version of Local is being used?
6.6.1+6281
-
What Operating System (OS) and OS version is being used?
Host machine is macOS Ventura, latest patch release. Guest machines can be anything -
Attach the Local Log. See this Help Doc for instructions on how to do so:
- Likely not relevant here but can provide if absolutely required
Security Reminder
Local does a pretty good job of scrubbing private info from the logs and the errors it produces, however there’s always the possibility that something private can come through. Because these are public forums, always review the screenshots you are sharing to make sure there isn’t private info like passwords being displayed.