[docs] Setup/config guide doesn't warn against binding to 0.0.0.0/[::] in reverse-proxy use-case

[hikari-no-yume]

Hi. I just set up a GoToSocial server in a reverse-proxy configuration. I noticed there isn't a mention in the config example of the difference between binding to 0.0.0.0/[::] and 127.0.0.1/[::1]/localhost:

https://github.com/superseriousbusiness/gotosocial/blob/4a9538593c6110b5972d802aebf1c4990edafe38/example/config.yaml#L77-L84

Likewise I didn't see it mentioned in the reverse proxy guide for nginx.

So far as I know, if you use 0.0.0.0 (IPv4) or [::] (IPv6), your server will usually become directly accessible from the public internet. That's the ideal in a normal configuration, but if you're using a reverse proxy running on the same host, then this is a liability, because now someone can access the server without going via the proxy.

I am thinking that it would be good to suggest using localhost, 127.0.0.1 (IPv4) or [::1] (IPv6) instead, which makes the server only accessible via loopback, in order to avoid this issue. I'm using 127.0.0.1 on my server and it seems to work.

I'm happy to make a pull request myself to address this, I just wanted to check first whether this was intended somehow or if there's some reason people might object.

---

P.S. I really like this project! It's exactly the lightweight, easy-to-run server I was hoping for.

[dequis]

Similarly, with a docker + nginx reverse proxy setup, having this in docker-compose helps:

    ports:
      - "127.0.0.1:8080:8080"

[tsmethurst]

I'm happy to make a pull request myself to address this, I just wanted to check first whether this was intended somehow or if there's some reason people might object.

Sounds good! Thanks for pointing this out :)

[dequis]

@hikari-no-yume FYI I did the docker part of this as part of https://github.com/superseriousbusiness/gotosocial/pull/1127

[hikari-no-yume]

Made a pull request now: https://github.com/superseriousbusiness/gotosocial/pull/1166

[hikari-no-yume]

The PR got merged. Thank you :)