diff --git a/.env.sample b/.env.sample
index 58a0ff5f..cd4f879d 100644
--- a/.env.sample
+++ b/.env.sample
@@ -5,6 +5,12 @@ SECRET_KEY=secret_key # generate a secret key with `openssl rand -base64 32`
LOG_LEVEL=info
LOG_QUERY=false
BEHIND_PROXY=false
+LISTEN_PORT=3000
+# Setting ALLOW_PRIVATE_ADDRESS to true disables SSRF (Server-Side Request Forgery) protection
+# Set to true to test in local network
+# Will be replaced by list of allowed IPs once https://github.com/dahlia/fedify/issues/157
+# is implemented.
+ALLOW_PRIVATE_ADDRESS=false
REMOTE_ACTOR_FETCH_POSTS=10
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
diff --git a/CHANGES.md b/CHANGES.md
index 9506f639..2891105c 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -29,10 +29,14 @@ To be released.
- Added a favicon.
+ - Added `LISTEN_PORT` and `ALLOW_PRIVATE_ADDRESS` environment variables.
+ [[#53] by Helge Krueger]
+
[#38]: https://github.com/dahlia/hollo/issues/38
[#41]: https://github.com/dahlia/hollo/pull/41
[#43]: https://github.com/dahlia/hollo/pull/43
[#47]: https://github.com/dahlia/hollo/pull/47
+[#53]: https://github.com/dahlia/hollo/pull/53
Version 0.1.6
diff --git a/docs/src/content/docs/install/env.mdx b/docs/src/content/docs/install/env.mdx
index ed3c0a5a..8ed42011 100644
--- a/docs/src/content/docs/install/env.mdx
+++ b/docs/src/content/docs/install/env.mdx
@@ -9,6 +9,10 @@ Hollo is configured using environment variables. You can set them in an *.env*
file in the root directory of the project, or you can set them using Docker's
`-e`/`--env` option or Railway's environment variables.
+### `LISTEN_PORT`
+
+The port number to listen on. 3000 by default.
+
### `DATABASE_URL`
The URL of the PostgreSQL database, e.g.,
@@ -67,6 +71,19 @@ Turned off by default.
security reasons.
+### `ALLOW_PRIVATE_ADDRESS`
+
+Setting this to `true` disables SSRF (Server-Side Request Forgery) protection.
+
+Turn on to test in local network.
+
+Turned off by default.
+
+
+
### `S3_REGION`
The region of the S3-compatible object storage, e.g., `us-east-1`. On some
diff --git a/docs/src/content/docs/ja/install/env.mdx b/docs/src/content/docs/ja/install/env.mdx
index 376c667d..2443c9b5 100644
--- a/docs/src/content/docs/ja/install/env.mdx
+++ b/docs/src/content/docs/ja/install/env.mdx
@@ -10,6 +10,10 @@ Holloは環境変数を使って設定を行います。
Dockerの`-e`/`--env`オプションを使うか、
Railwayのenvironment variablesメニューから設定できます。
+### `LISTEN_PORT`
+
+サーバーが受信するポート番号。デフォルトは3000です。
+
### `DATABASE_URL`
PostgreSQLのデータベースのURL。例:`postgresql://hollo:password@localhost/hollo`
@@ -67,6 +71,19 @@ HolloがL7ロードバランサーの後ろにある場合(通常はそうす
この動作はセキュリティ上注意が必要です。
+### `ALLOW_PRIVATE_ADDRESS`
+
+このオプションを`true`に設定すると、サーバーサイドリクエストフォージェリ(SSRF)攻撃の防止を解除します。
+
+ローカルネットワークでテストする場合は、このオプションをオンにする必要がある場合があります。
+
+デフォルトではオフになっています。
+
+
+
### `S3_REGION`
S3互換オブジェクトストレージのリージョン。例:`us-east-1`
diff --git a/docs/src/content/docs/ko/install/env.mdx b/docs/src/content/docs/ko/install/env.mdx
index 762d4402..4b109d97 100644
--- a/docs/src/content/docs/ko/install/env.mdx
+++ b/docs/src/content/docs/ko/install/env.mdx
@@ -10,6 +10,10 @@ Hollo는 환경 변수를 통해 여러 가지 설정을 할 수 있습니다.
Docker의 `-e`/`--env` 옵션을 쓰거나,
Railway의 environment variables 메뉴에서 설정할 수 있습니다.
+### `LISTEN_PORT`
+
+서버가 수신할 포트 번호. 기본값은 3000입니다.
+
### `DATABASE_URL`
PostgreSQL 데이터베이스의 URL. 예: `postgresql://hollo:password@localhost/hollo`.
@@ -66,6 +70,19 @@ Hollo가 L7 로드 밸런서 뒤에 위치할 경우 (일반적으로 그래야
이 동작은 보안상 주의를 기울여야 합니다.
+### `ALLOW_PRIVATE_ADDRESS`
+
+이 옵션을 `true`로 설정하면 서버 측 요청 위조(SSRF) 공격 방지를 풉니다.
+
+로컬 네트워크에서 테스트할 때 이 옵션을 켜야 할 수 있습니다.
+
+기본적으로는 꺼져 있습니다.
+
+
+
### `S3_REGION`
S3 호환 오브젝트 스토리지의 지역. 예: `us-east-1`.
diff --git a/docs/src/content/docs/zh-cn/install/env.mdx b/docs/src/content/docs/zh-cn/install/env.mdx
index a6224150..5687ca3f 100644
--- a/docs/src/content/docs/zh-cn/install/env.mdx
+++ b/docs/src/content/docs/zh-cn/install/env.mdx
@@ -7,6 +7,10 @@ import { Aside, Badge } from '@astrojs/starlight/components';
Hollo是通过环境变量进行配置的。你可以在项目根目录的 *.env* 文件中设置它们,或者使用Docker的`-e`/`--env`选项或Railway的环境变量进行设置。
+### `LISTEN_PORT`
+
+服务器监听的端口号。默认为3000。
+
### `DATABASE_URL`
PostgreSQL数据库的URL,例如:`postgresql://hollo:password@localhost/hollo`。
@@ -57,6 +61,19 @@ openssl rand -hex 32
启用此选项后,Hollo将信任来自反向代理的`X-Forwarded-For`、`X-Forwarded-Proto`和`X-Forwarded-Host`头。这对于安全来说非常重要。
+### `ALLOW_PRIVATE_ADDRESS`
+
+将此选项设置为`true`将禁用 SSRF(服务器端请求伪造)保护。
+
+打开此选项可在本地网络中进行测试。
+
+默认情况下关闭。
+
+
+
### `S3_REGION`
S3兼容对象存储的区域,例如:`us-east-1`。在某些非S3服务中,可以省略此项。默认为`auto`。
diff --git a/src/federation/index.ts b/src/federation/index.ts
index 9561070e..6ab593fc 100644
--- a/src/federation/index.ts
+++ b/src/federation/index.ts
@@ -110,6 +110,8 @@ if (getRedisUrl() == null) {
export const federation = createFederation({
kv,
queue,
+ // biome-ignore lint/complexity/useLiteralKeys: tsc complains about this (TS4111)
+ allowPrivateAddress: process.env["ALLOW_PRIVATE_ADDRESS"] === "true",
});
federation
diff --git a/src/index.tsx b/src/index.tsx
index f3a4dac7..ff29c5b6 100644
--- a/src/index.tsx
+++ b/src/index.tsx
@@ -31,5 +31,10 @@ app.get("/favicon.png", async (c) => {
// biome-ignore lint/complexity/useLiteralKeys: tsc complains about this (TS4111)
const BEHIND_PROXY = process.env["BEHIND_PROXY"] === "true";
+// biome-ignore lint/complexity/useLiteralKeys: tsc complains about this (TS4111)
+const LISTEN_PORT = Number.parseInt(process.env["LISTEN_PORT"] ?? "3000", 10);
-export default BEHIND_PROXY ? { fetch: behindProxy(app.fetch.bind(app)) } : app;
+export default {
+ fetch: BEHIND_PROXY ? behindProxy(app.fetch.bind(app)) : app.fetch.bind(app),
+ port: LISTEN_PORT,
+};