alexei.dolgolyov/notify-bridge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 31 Wiki Activity

chore(compose): default NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1 for homelab

Browse Source 
Homelab targets (Immich, Gitea, ...) are almost always on RFC1918
addresses, which the SSRF guard rejects by default.  Exporting the flag
to 1 in the compose file — overridable via the host environment —
matches how this project is actually deployed (TrueNAS / unraid / etc.)
without weakening the defense for anyone who sets it to 0 on a
public-facing box.
This commit is contained in:
Admin
2026-04-22 02:46:10 +03:00
parent 58cba88c92
commit 3bb0585e43
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docker-compose.yml
+6
View File
@@ -12,6 +12,12 @@ services:
environment:
- NOTIFY_BRIDGE_SECRET_KEY=${NOTIFY_BRIDGE_SECRET_KEY:?Set NOTIFY_BRIDGE_SECRET_KEY (min 32 chars)}
- NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS=${NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS:-*}
# Allow outbound requests to RFC1918 / link-local addresses. Homelab
# deployments target LAN services (Immich, Gitea, ...) and the SSRF
# guard otherwise rejects 10.*/172.16.*/192.168.* / 169.254.* hosts.
# Set to 0 on internet-exposed deployments where outbound targets must
# be public.
- NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=${NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS:-1}
healthcheck:
test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8420/api/health')"]
interval: 30s