From 432c627f9b0c3af8b9d9e3ee2cb90da8d5186a3c Mon Sep 17 00:00:00 2001 From: Christoph Haas Date: Sun, 4 May 2025 14:48:34 +0200 Subject: [PATCH] further improve documentation and examples (#423) --- docker-compose.yml | 1 + docs/documentation/configuration/examples.md | 2 +- docs/documentation/configuration/overview.md | 5 +++-- docs/documentation/getting-started/docker.md | 6 ++++-- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 91981a2..c5611e0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,6 +10,7 @@ services: max-file: "3" cap_add: - NET_ADMIN + # Use host network mode for WireGuard and the UI. Ensure that access to the UI is properly secured. network_mode: "host" volumes: # left side is the host path, right side is the container path diff --git a/docs/documentation/configuration/examples.md b/docs/documentation/configuration/examples.md index 46e7ed1..83571dd 100644 --- a/docs/documentation/configuration/examples.md +++ b/docs/documentation/configuration/examples.md @@ -15,7 +15,7 @@ web: site_title: My WireGuard Server site_company_name: My Company listening_address: :8080 - external_url: https://my.externa-domain.com + external_url: https://my.external-domain.com csrf_secret: super-s3cr3t-csrf session_secret: super-s3cr3t-session request_logging: true diff --git a/docs/documentation/configuration/overview.md b/docs/documentation/configuration/overview.md index 03bc68e..27d4309 100644 --- a/docs/documentation/configuration/overview.md +++ b/docs/documentation/configuration/overview.md @@ -286,7 +286,7 @@ Controls how WireGuard Portal collects and reports usage statistics, including p ### `listening_address` - **Default:** `:8787` -- **Description:** Address and port for the integrated Prometheus metric server (e.g., `:8787` or `127.0.0.1:8888`). +- **Description:** Address and port for the integrated Prometheus metric server (e.g., `:8787` or `127.0.0.1:8787`). --- @@ -580,7 +580,8 @@ Without a valid `external_url`, the login process may fail due to CSRF protectio ### `listening_address` - **Default:** `:8888` -- **Description:** The listening port of the web server. +- **Description:** The listening address and port for the web server (e.g., `:8888` to bind on all interfaces or `127.0.0.1:8888` to bind only on the loopback interface). + Ensure that access to WireGuard Portal is protected against unauthorized access, especially if binding to all interfaces. ### `external_url` - **Default:** `http://localhost:8888` diff --git a/docs/documentation/getting-started/docker.md b/docs/documentation/getting-started/docker.md index ecf5227..da1b63a 100644 --- a/docs/documentation/getting-started/docker.md +++ b/docs/documentation/getting-started/docker.md @@ -10,10 +10,10 @@ The recommended method for deploying WireGuard Portal is via Docker Compose for A sample docker-compose.yml (managing WireGuard interfaces directly on the host) is provided below: ```yaml ---8<-- "docker-compose.yml::18" +--8<-- "docker-compose.yml::19" ``` -By default, the webserver is listening on port **8888** on all available interfaces. +By default, the webserver for the UI is listening on port **8888** on all available interfaces. Volumes for `/app/data` and `/app/config` should be used ensure data persistence across container restarts. @@ -32,6 +32,8 @@ WireGuard Portal supports managing WireGuard interfaces through three distinct d network_mode: "host" ... ``` + > :warning: If host networking is used, the WireGuard Portal UI will be accessible on all the host's IP addresses if the listening address is set to `:8888` in the configuration file. + To avoid this, you can bind the listening address to a specific IP address, for example, the loopback address (`127.0.0.1:8888`). It is also possible to deploy firewall rules to restrict access to the WireGuard Portal UI. - **Within the WireGuard Portal Docker container**: WireGuard interfaces can be managed directly from within the WireGuard Portal container itself.