At least the Nginx service binds to 0.0.0.0:80/0.0.0.0:443. This allows for access by other devices on the network that know the hostname/IP of your machine. This can lead to information leakage in situations where network configuration isn’t controlled or is simply a violation of security policies for a company.
Note that I understand this may be seen as a feature, but I need an option or way to disable it in order to meet security requirements.
Troubleshooting Questions
Does this happen for all sites in Local, or just one in particular?
All sites unless you manually edit the nginx configuration. I have not tested/checked other services to see if they also bind to 0.0.0.0
Are you able to create a new, plain WordPress site in Local and access it in a Browser?
Yes
Replication
Create site as you normally would, confirm that it works on your local system
Add a hosts entry on a separate system that is attached to the same network. Use the IP address of the target machine running Local
You can now access the site from a machine other than the one running Local
System Details
Which version of Local is being used?
6.6.1+6281
What Operating System (OS) and OS version is being used?
Host machine is macOS Ventura, latest patch release. Guest machines can be anything
Attach the Local Log. See this Help Doc for instructions on how to do so:
Likely not relevant here but can provide if absolutely required
Security Reminder
Local does a pretty good job of scrubbing private info from the logs and the errors it produces, however there’s always the possibility that something private can come through. Because these are public forums, always review the screenshots you are sharing to make sure there isn’t private info like passwords being displayed.
Does that seem right? Or if you try that, does that accomplish what you’re after?
I’ll most likely move this to our feature request category, as Local is working as expected right now but this would be a great enhancement. How would you imagine updating this setting? Would you expect this to live in Local’s Preferences or somewhere else?
It feels like the sort of thing that should be an advanced setting. Maybe under router mode named “Prevent local network access” with description along the lines of “When enabled local sites will only be accessible from this computer. Disable to allow other devices on the network to access sites”
The engineering team had the chance to review this morning and look at our options. Like you mentioned, originally this was a “feature, not a bug” scenario - there are users who want/expect this sort of functionality out of the box. I suppose it is a matter of how each person defines “local”
Being able to toggle it makes sense. Is this something you explored setting at the firewall level? In an org/agency setting, is there a benefit to having this within Local as opposed to at that higher level? We were thinking about other apps that might potentially be using these same ports, for example
Documenting how to configure a firewall for this scenario is one thing, knowing the user did it correctly and is testing it correctly is another. Whereas having a toggle in the app that prevents it instills a lot more confidence that it is working as expected.
I am thinking of the WFM person visiting a coffee shop. Probably don’t need or even want a firewall at home but having this specific app not exposing anything is nice to have.
I also cast a vote for adding this feature into Local. Developer laptops typically wander across multiple networks, and it’s really easy for one to end up on some Wi-Fi network with a public IP address assigned while still running a Local site. For example, my university assigns public IP addresses on its campus Wi-Fi network.
Can I also request that the backends (one for each site) also only listen on localhost? The main nginx config for the router only needs them accessible on 127.0.0.1 for the proxy_pass, so there’s no need for them to listen on all interfaces.
These will be in separate config files for each site, e.g.: Listen 1000x => Listen 127.0.0.1:1000x /Users/{username}/Library/Application Support/Local/run/{site-id}/conf/apache/apache2.conf
or listen 1000x; => listen 127.0.0.1:1000x; /Users/{username}/Library/Application Support/Local/run/{site-id}/conf/nginx/site.conf
I did note that manually editing the listen directive in each site’s config doesn’t work, since Local overwrites any changes each time a site is started.
Thanks so much, we’re planning on migrating over to Local instead of a vagrant+virtualbox workflow, loving it so far!
