further improve documentation and examples (#423)

2025-06-27 16:57:01 +00:00 · 2025-05-04 14:48:34 +02:00 · 2025-05-04 14:48:34 +02:00 · 432c627f9b
commit 432c627f9b
parent cd60761ea7
4 changed files with 9 additions and 5 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -10,6 +10,7 @@ services:
        max-file: "3"
    cap_add:
      - NET_ADMIN
+    # Use host network mode for WireGuard and the UI. Ensure that access to the UI is properly secured.
    network_mode: "host"
    volumes:
      # left side is the host path, right side is the container path
--- a/docs/documentation/configuration/examples.md
+++ b/docs/documentation/configuration/examples.md
@ -15,7 +15,7 @@ web:
  site_title: My WireGuard Server
  site_company_name: My Company
  listening_address: :8080
-  external_url: https://my.externa-domain.com
+  external_url: https://my.external-domain.com
  csrf_secret: super-s3cr3t-csrf
  session_secret: super-s3cr3t-session
  request_logging: true
--- a/docs/documentation/configuration/overview.md
+++ b/docs/documentation/configuration/overview.md
@ -286,7 +286,7 @@ Controls how WireGuard Portal collects and reports usage statistics, including p

 ### `listening_address`
 - **Default:** `:8787`
- **Description:** Address and port for the integrated Prometheus metric server (e.g., `:8787` or `127.0.0.1:8888`).
+- **Description:** Address and port for the integrated Prometheus metric server (e.g., `:8787` or `127.0.0.1:8787`).

 ---

@ -580,7 +580,8 @@ Without a valid `external_url`, the login process may fail due to CSRF protectio

 ### `listening_address`
 - **Default:** `:8888`
- **Description:** The listening port of the web server.
+- **Description:** The listening address and port for the web server (e.g., `:8888` to bind on all interfaces or `127.0.0.1:8888` to bind only on the loopback interface).
+  Ensure that access to WireGuard Portal is protected against unauthorized access, especially if binding to all interfaces.

 ### `external_url`
 - **Default:** `http://localhost:8888`
--- a/docs/documentation/getting-started/docker.md
+++ b/docs/documentation/getting-started/docker.md
@ -10,10 +10,10 @@ The recommended method for deploying WireGuard Portal is via Docker Compose for
 A sample docker-compose.yml (managing WireGuard interfaces directly on the host) is provided below:

 ```yaml
--8<-- "docker-compose.yml::18"
+--8<-- "docker-compose.yml::19"
 ```

-By default, the webserver is listening on port **8888** on all available interfaces.
+By default, the webserver for the UI is listening on port **8888** on all available interfaces.

 Volumes for `/app/data` and `/app/config` should be used ensure data persistence across container restarts.

@ -32,6 +32,8 @@ WireGuard Portal supports managing WireGuard interfaces through three distinct d
       network_mode: "host"
       ...
   ```
+   > :warning: If host networking is used, the WireGuard Portal UI will be accessible on all the host's IP addresses if the listening address is set to `:8888` in the configuration file.
+   To avoid this, you can bind the listening address to a specific IP address, for example, the loopback address (`127.0.0.1:8888`). It is also possible to deploy firewall rules to restrict access to the WireGuard Portal UI.

 - **Within the WireGuard Portal Docker container**: 
   WireGuard interfaces can be managed directly from within the WireGuard Portal container itself.