fix: WinBox tunnel bind address, port range, and proxy support

- Bind tunnel listeners to 0.0.0.0 instead of 127.0.0.1 so tunnels are reachable through reverse proxies and container networks - Reduce port range to 49000-49004 (5 concurrent tunnels) - Derive WinBox URI host from request Host header instead of hardcoding 127.0.0.1, enabling use behind reverse proxies - Add README security warning about default encryption keys Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 19:03:53 -05:00
parent acf1790bed
commit c2eea6847f
6 changed files with 28 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -66,8 +66,22 @@ Web UI
 # Clone and configure
 git clone https://github.com/staack/the-other-dude.git && cd the-other-dude
 cp .env.example .env
-# Edit .env -- set CREDENTIAL_ENCRYPTION_KEY and JWT_SECRET_KEY at minimum
+```

+**Edit `.env` before starting** -- at minimum, generate unique values for:
+
+```bash
+# Generate a JWT signing key
+JWT_SECRET_KEY=$(python3 -c "import secrets; print(secrets.token_urlsafe(64))")
+
+# Generate a Fernet encryption key (used to encrypt device credentials at rest)
+CREDENTIAL_ENCRYPTION_KEY=$(python3 -c "import secrets, base64; print(base64.b64encode(secrets.token_bytes(32)).decode())")
+```
+
+> **Warning**
+> The `.env.example` ships with **hard-coded dev defaults** for both keys. These are fine for local development but **must be replaced before exposing the instance to any network**. Anyone with the default `JWT_SECRET_KEY` can forge authentication tokens, and the default `CREDENTIAL_ENCRYPTION_KEY` leaves all stored device credentials readable.
+
+```bash
 # Build images sequentially (avoids OOM on low-RAM machines)
 docker compose --profile full build api
 docker compose --profile full build poller