Issue Summary

At least the Nginx service binds to 0.0.0.0:80/0.0.0.0:443. This allows for access by other devices on the network that know the hostname/IP of your machine. This can lead to information leakage in situations where network configuration isn’t controlled or is simply a violation of security policies for a company.

Note that I understand this may be seen as a feature, but I need an option or way to disable it in order to meet security requirements.

Troubleshooting Questions

• Does this happen for all sites in Local, or just one in particular?

All sites unless you manually edit the nginx configuration. I have not tested/checked other services to see if they also bind to 0.0.0.0

• Are you able to create a new, plain WordPress site in Local and access it in a Browser?

Yes

Replication

1. Create site as you normally would, confirm that it works on your local system
2. Add a hosts entry on a separate system that is attached to the same network. Use the IP address of the target machine running Local
3. You can now access the site from a machine other than the one running Local

System Details

• Which version of Local is being used?

6.6.1+6281

• What Operating System (OS) and OS version is being used?
  Host machine is macOS Ventura, latest patch release. Guest machines can be anything

• Attach the Local Log. See this Help Doc for instructions on how to do so:

  • Likely not relevant here but can provide if absolutely required

Security Reminder

Local does a pretty good job of scrubbing private info from the logs and the errors it produces, however there’s always the possibility that something private can come through. Because these are public forums, always review the screenshots you are sharing to make sure there isn’t private info like passwords being displayed.

Bumping this to see if anyone has any ideas, ty

Hey @dustinrue - thanks for reaching out! And apologies for the delay in getting back to you.

This makes sense to me; you mentioned manually editing your nginix configuration. I imagine you were doing something like:

1. Navigate to ~/Library/Application Support/Local/run/router/nginx/conf/
2. Set the server listens to something like:

listen 127.0.0.1:80 default_server;
listen [::1]:80 default_server;

Does that seem right? Or if you try that, does that accomplish what you’re after?

I’ll most likely move this to our feature request category, as Local is working as expected right now but this would be a great enhancement. How would you imagine updating this setting? Would you expect this to live in Local’s Preferences or somewhere else?

It feels like the sort of thing that should be an advanced setting. Maybe under router mode named “Prevent local network access” with description along the lines of “When enabled local sites will only be accessible from this computer. Disable to allow other devices on the network to access sites”

The engineering team had the chance to review this morning and look at our options. Like you mentioned, originally this was a “feature, not a bug” scenario - there are users who want/expect this sort of functionality out of the box. I suppose it is a matter of how each person defines “local”

Being able to toggle it makes sense. Is this something you explored setting at the firewall level? In an org/agency setting, is there a benefit to having this within Local as opposed to at that higher level? We were thinking about other apps that might potentially be using these same ports, for example

Documenting how to configure a firewall for this scenario is one thing, knowing the user did it correctly and is testing it correctly is another. Whereas having a toggle in the app that prevents it instills a lot more confidence that it is working as expected.

I am thinking of the WFM person visiting a coffee shop. Probably don’t need or even want a firewall at home but having this specific app not exposing anything is nice to have.