Bind to localhost

[p-rintz]

Hi there,

great job on the project. Looking really good so far. Its already my favourite Borg webUI.

As for this issue, Id want to make the suggestion to bind the "npm run start" "production" command to localhost only, so that borgwarehouse isn't reachable on any public IPs. You currently recommend using Apache as a reverse proxy in the documentation, so this shouldn't be needed then.

ie:

{
    "name": "borgwarehouse",
    "version": "1.0",
    "private": true,
    "scripts": {
        "dev": "next dev",
        "build": "next build",
        "start": "next start -H 127.0.0.1",
        "lint": "next lint"
    },
    "dependencies": {
        "@tabler/icons": "^1.96.0",
        "bcryptjs": "^2.4.3",
        "chart.js": "^3.9.1",
        "next": "^13.0.5",
        "next-auth": "^4.17.0",
        "react": "^18.2.0",
        "react-chartjs-2": "^4.3.1",
        "react-dom": "^18.2.0",
        "react-hook-form": "^7.36.1",
        "react-modal": "^3.15.1",
        "react-select": "^5.6.0",
        "react-toastify": "^9.0.8",
        "spinners-react": "^1.0.7",
        "swr": "^1.3.0"
    },
    "devDependencies": {
        "eslint": "8.23.1",
        "eslint-config-next": "^13.0.5"
    }
}

Again, thanks for the great project.

[Ravinou]

Hi, first of all a huge thank you for your positive feedback on BorgWarehouse. It gives me a lot of energy to continue this work ! 🙏

With NextJS, the next start command launches by default the application on localhost:3000 (https://nextjs.org/docs/api-reference/cli#production). But indeed, the default hostname is 0.0.0.0 :

It is this default hostname that makes the application available on any public IP as you say 👍

If you force the application to be launched on 127.0.0.1, you will use TCP/IP and not the Unix socket for the interconnection with your proxy. The Unix socket is much faster than TCP/IP. From my point of view, it seems better to start the application on localhost:3000 rather than 127.0.0.1:3000 to take advantage of the speed of the Unix socket.

So I recommend you to modify the command with :"start": "next start -H localhost". You will have this result :

What do you think about it ?

On the other hand, modifying this in the project application will cause a specificity that I will have to remember because I will leave the default configuration of NextJS and NodeJS. It's interesting to think that the application should not be reachable on 0.0.0.0 since it's behind a reverse proxy. I rather agree with your reflexion. However, the use case with the apache reverse proxy is only one of many (even if it is the one I chose to show in the documentation). I know that some users use BorgWarehouse with docker containers or behind other types of proxy and therefore need 0.0.0.0.

Moreover, since the application starts on port 3000 by default, it should not be open on a firewall by default if the rules of the art have been respected. The application will never be accessible by default if the basic security rules are respected.

Your question is still relevant and it will certainly be useful to others but I don't think to integrate a specification for this specific case in the project.

What do you think about it ?

Thanks again for your interest in this project.

[p-rintz]

So I recommend you to modify the command with : "start": "next start -H localhost".

Sounds good to me. I was not aware that there was a difference between that and 127.0.0.1 for Next.JS. (if anything, I wouldve expected for 'localhost' to bind to both IPv4 and IPv6)

I know that some users use BorgWarehouse with docker containers or behind other types of proxy and therefore need 0.0.0.0.

Absolutely reasonable. I wouldve solved it with environment variables or a template probably for a Dockerfile.

The application will never be accessible by default if the basic security rules are respected.

While, not a terrible assumption. I try to keep assumptions out of default settings. By default, the application should be safe, imo.

In the end, its not a huge issue either way. Maybe include it in the Readme/Documentation at least?

[Ravinou]

I will include this possibility in the documentation FAQ soon !

[Ravinou]

Documentation is up-to-date just here : https://borgwarehouse.com/docs/help/faq/#change-default-hostname-or-port-for-application

[Ravinou]

It's not a good practice to edit the package.json and modification will be delete with a git pull. I will change the documentation to use environment variable.

[Ravinou]

FAQ is update on https://borgwarehouse.com