fix(config): reject non-loopback proxy binds

The proxy listener is a local ingress point for both HTTP and SOCKS traffic. Binding that listener to a wildcard address or LAN address exposes the relay surface to other devices on the network. Without inbound proxy authentication, that exposure can turn a local client into an unauthenticated shared proxy and allow unrelated devices to consume the operator's Apps Script quota.

The default listen_host is now 127.0.0.1, matching the local-only behavior expected for a desktop proxy. Config validation now accepts IPv4 loopback, IPv6 loopback, bracketed IPv6 loopback, and localhost. It rejects wildcard binds, LAN addresses, public hostnames, and other non-loopback values with a hard configuration error before any listener socket is opened.

The guard is implemented at configuration validation time rather than at bind time so TOML loading, JSON migration, CLI startup, and UI save paths all observe the same fail-closed rule. Existing explicit loopback profiles continue to load unchanged. Profiles that rely on 0.0.0.0 or a LAN address must wait for an authenticated LAN-sharing mode rather than silently opening an unauthenticated listener.

TOML examples now show the loopback listener and call out that non-loopback binds are rejected until inbound proxy authentication exists. The English and Persian guides no longer instruct users to set listen_host to 0.0.0.0 for hotspot or OpenWRT sharing; they describe the current local-only safety behavior instead.

Focused config tests cover the repaired default, accepted loopback forms, rejected wildcard and non-loopback forms, TOML network defaults, and JSON-to-TOML migration preserving the loopback listen_host.

Author: maybeknott

config.direct.example.toml

@@ -4,6 +4,7 @@ mode = "direct"
 [network]
 google_ip = "216.239.38.120"
 front_domain = "www.google.com"
+# Non-loopback binds such as 0.0.0.0 are rejected until inbound proxy authentication is implemented.
 listen_host = "127.0.0.1"
 listen_port = 8085
 socks5_port = 8086

config.example.toml

@@ -6,6 +6,7 @@ auth_key = "CHANGE_ME_TO_A_STRONG_SECRET"
 [network]
 google_ip = "216.239.38.120"
 front_domain = "www.google.com"
+# Non-loopback binds such as 0.0.0.0 are rejected until inbound proxy authentication is implemented.
 listen_host = "127.0.0.1"
 listen_port = 8085
 socks5_port = 8086

config.exit-node.example.toml

@@ -9,7 +9,8 @@ auth_key = "PUT_YOUR_APPS_SCRIPT_AUTH_KEY_HERE"
 [network]
 google_ip = "216.239.38.120"
 front_domain = "www.google.com"
-listen_host = "0.0.0.0"
+# Non-loopback binds such as 0.0.0.0 are rejected until inbound proxy authentication is implemented.
+listen_host = "127.0.0.1"
 listen_port = 8085
 socks5_port = 8086
 verify_ssl = true
@@ -44,4 +45,4 @@ hosts = [
   "openai.com",
   "aistudio.google.com",
   "ai.google.dev",
-]
+]

config.fronting-groups.example.toml

@@ -4,6 +4,7 @@ mode = "direct"
 [network]
 google_ip = "216.239.38.120"
 front_domain = "www.google.com"
+# Non-loopback binds such as 0.0.0.0 are rejected until inbound proxy authentication is implemented.
 listen_host = "127.0.0.1"
 listen_port = 8085
 socks5_port = 8086

config.full.example.toml

@@ -6,6 +6,7 @@ auth_key = "CHANGE_ME_TO_A_STRONG_SECRET"
 [network]
 google_ip = "216.239.38.120"
 front_domain = "www.google.com"
+# Non-loopback binds such as 0.0.0.0 are rejected until inbound proxy authentication is implemented.
 listen_host = "127.0.0.1"
 listen_port = 8085
 socks5_port = 8086

docs/guide.fa.md

@@ -269,7 +269,9 @@ HTTP / HTTPS مثل قبل از Apps Script می‌رود (تغییری نمی
 
 ## اشتراک‌گذاری هات‌اسپات
 
-mhrv-rs به‌طور پیش‌فرض روی `0.0.0.0` گوش می‌دهد، پس هر دستگاه روی همان شبکه می‌تواند ازش استفاده کند. سناریوی رایج: اشتراک تونل از گوشی اندروید به آیفون / آیپد / لپ‌تاپ از هات‌اسپات:
+mhrv-rs حالا به‌طور پیش‌فرض فقط روی `127.0.0.1` گوش می‌دهد و تا وقتی احراز هویت HTTP/SOCKS برای ورودی پیاده‌سازی نشده باشد، bind غیر loopback را رد می‌کند. این کار جلوی open proxy ناخواسته و مصرف شدن quota Apps Script توسط دستگاه‌های دیگر شبکه را می‌گیرد.
+
+اشتراک‌گذاری هات‌اسپات/LAN بعداً به‌صورت یک حالت صریح و دارای احراز هویت برمی‌گردد. در نسخهٔ فعلی `listen_host` را به `0.0.0.0` تغییر نده؛ اعتبارسنجی کانفیگ fail-closed می‌شود. workflow قدیمی این بود:
 
 ۱. **اندروید:** هات‌اسپات موبایل را روشن کن + اپ را استارت کن
 ۲. **دستگاه دیگر:** به Wi-Fi هات‌اسپات اندروید وصل شو
@@ -287,7 +289,7 @@ Settings → Wi-Fi → روی (i) شبکهٔ هات‌اسپات بزن → Conf
 
 HTTP proxy سیستم را روی `192.168.43.1:8080` بگذار، یا per-app SOCKS5 روی `192.168.43.1:1081`.
 
-> اگر `listen_host` در کانفیگت `127.0.0.1` است، به `0.0.0.0` تغییرش بده تا اتصال از دستگاه‌های دیگر را بپذیرد.
+> گیت امنیتی فعلی: مقدارهای غیر loopback مثل `0.0.0.0`، `::` یا IP شبکهٔ LAN تا زمان اضافه شدن احراز هویت proxy رد می‌شوند.
 
 ## اجرا روی OpenWRT
 
@@ -306,7 +308,7 @@ chmod +x /usr/bin/mhrv-rs /etc/init.d/mhrv-rs
 logread -e mhrv-rs -f       # تمام لاگ
 ```
 
-دستگاه‌های LAN HTTP proxy را روی IP روتر (پورت پیش‌فرض `8085`) یا SOCKS5 روی `<router-ip>:8086` تنظیم می‌کنند. در `/etc/mhrv-rs/config.toml` مقدار `listen_host` را به `0.0.0.0` بگذار تا روتر اتصال LAN را بپذیرد.
+نسخهٔ فعلی فقط روی loopback گوش می‌دهد. اجرای CLI روی OpenWRT برای تست محلی همچنان کار می‌کند، اما استفاده از روتر به‌عنوان proxy برای کل LAN به حالت authenticated LAN-sharing آینده نیاز دارد. در این نسخه `listen_host` را در `/etc/mhrv-rs/config.toml` به `0.0.0.0` تغییر نده؛ اعتبارسنجی کانفیگ این bind ناامن را رد می‌کند.
 
 مصرف حافظه ~۱۵–۲۰ مگابایت — روی هر روتری با ۱۲۸ مگابایت RAM به بالا اجرا می‌شود. UI روی musl نیست (روترها headlessاند).
 

docs/guide.md

@@ -269,7 +269,9 @@ The destination sees the exit node's IP, not Google's, so the anti-bot heuristic
 
 ## Sharing via hotspot
 
-mhrv-rs listens on `0.0.0.0` by default, so any device on the same network can use it. Common scenario: share the tunnel from an Android phone to an iPhone, iPad, or laptop over hotspot:
+mhrv-rs listens on `127.0.0.1` by default and rejects non-loopback proxy binds until inbound HTTP/SOCKS authentication is implemented. This prevents accidental open-proxy exposure and Apps Script quota theft on shared Wi-Fi or hotspots.
+
+Hotspot/LAN sharing will return as an explicit authenticated mode in a later release. On current builds, do not change `listen_host` to `0.0.0.0`; startup validation will fail closed. The old sharing workflow was:
 
 1. **Android:** enable mobile hotspot + start the app
 2. **Other device:** connect to the Android hotspot Wi-Fi
@@ -287,7 +289,7 @@ For full device-wide coverage on iOS, use [Shadowrocket](https://apps.apple.com/
 
 Set system HTTP proxy to `192.168.43.1:8080`, or per-app SOCKS5 to `192.168.43.1:1081`.
 
-> If `listen_host` is `127.0.0.1` in your config, change to `0.0.0.0` to allow other devices.
+> Current safety gate: non-loopback values such as `0.0.0.0`, `::`, or a LAN IP are rejected until proxy authentication is available.
 
 ## Running on OpenWRT
 
@@ -306,7 +308,7 @@ chmod +x /usr/bin/mhrv-rs /etc/init.d/mhrv-rs
 logread -e mhrv-rs -f       # tail logs
 ```
 
-LAN devices then point HTTP proxy at the router's LAN IP (default port `8085`) or SOCKS5 at `<router-ip>:8086`. Set `listen_host` to `0.0.0.0` in `/etc/mhrv-rs/config.toml` so the router accepts LAN connections.
+Current builds listen on loopback only. Running the CLI on OpenWRT for local diagnostics still works, but using the router as a LAN-wide proxy requires the upcoming authenticated LAN-sharing mode. Do not set `listen_host` to `0.0.0.0` in `/etc/mhrv-rs/config.toml` on this version; config validation will reject the unsafe bind.
 
 Memory footprint ~15–20 MB resident — fine on anything ≥128 MB RAM. No UI on musl (routers are headless).
 

src/config.rs

@@ -538,7 +538,7 @@ fn default_front_domain() -> String {
     "www.google.com".into()
 }
 fn default_listen_host() -> String {
-    "0.0.0.0".into()
+    "127.0.0.1".into()
 }
 fn default_listen_port() -> u16 {
     8085
@@ -550,6 +550,22 @@ fn default_verify_ssl() -> bool {
     true
 }
 
+fn is_loopback_listen_host(host: &str) -> bool {
+    let host = host.trim();
+    if host.eq_ignore_ascii_case("localhost") {
+        return true;
+    }
+
+    let host = host
+        .strip_prefix('[')
+        .and_then(|h| h.strip_suffix(']'))
+        .unwrap_or(host);
+
+    host.parse::<std::net::IpAddr>()
+        .map(|ip| ip.is_loopback())
+        .unwrap_or(false)
+}
+
 impl Config {
     pub fn load(path: &Path) -> Result<(Self, Option<String>), ConfigError> {
         let ext = path
@@ -654,6 +670,14 @@ impl Config {
                 self.listen_port, self.listen_host
             )));
         }
+        if !is_loopback_listen_host(&self.listen_host) {
+            return Err(ConfigError::Invalid(format!(
+                "listen_host '{}' is not loopback. Non-loopback proxy binds \
+                 are disabled until inbound HTTP/SOCKS authentication is \
+                 configured; use 127.0.0.1 or ::1 in config.toml.",
+                self.listen_host
+            )));
+        }
         for (i, g) in self.fronting_groups.iter().enumerate() {
             if g.name.trim().is_empty() {
                 return Err(ConfigError::Invalid(format!(
@@ -1184,6 +1208,56 @@ mod tests {
         let cfg: Config = serde_json::from_str(s).unwrap();
         assert!(cfg.validate().is_err());
     }
+
+    #[test]
+    fn defaults_listen_host_to_loopback() {
+        let s = r#"{
+            "mode": "direct"
+        }"#;
+        let cfg: Config = serde_json::from_str(s).unwrap();
+        assert_eq!(cfg.listen_host, "127.0.0.1");
+        cfg.validate().unwrap();
+    }
+
+    #[test]
+    fn validate_accepts_loopback_listen_hosts() {
+        for host in ["127.0.0.1", "::1", "[::1]", "localhost"] {
+            let s = format!(
+                r#"{{
+                    "mode": "direct",
+                    "listen_host": "{}"
+                }}"#,
+                host
+            );
+            let cfg: Config = serde_json::from_str(&s).unwrap();
+            cfg.validate()
+                .unwrap_or_else(|e| panic!("expected loopback host '{}' to validate: {}", host, e));
+        }
+    }
+
+    #[test]
+    fn validate_rejects_non_loopback_listen_hosts() {
+        for host in ["0.0.0.0", "::", "[::]", "192.168.1.10", "example.com"] {
+            let s = format!(
+                r#"{{
+                    "mode": "direct",
+                    "listen_host": "{}"
+                }}"#,
+                host
+            );
+            let cfg: Config = serde_json::from_str(&s).unwrap();
+            let err = cfg
+                .validate()
+                .expect_err(&format!("expected non-loopback host '{}' to fail", host));
+            let msg = format!("{}", err);
+            assert!(
+                msg.contains("not loopback") && msg.contains("inbound HTTP/SOCKS authentication"),
+                "error should explain unsafe bind gate for '{}': {}",
+                host,
+                msg
+            );
+        }
+    }
 }
 
 #[cfg(test)]
@@ -1316,6 +1390,7 @@ mode = "direct"
         let toml_cfg: TomlConfig = toml::from_str(s).unwrap();
         let cfg = Config::from(toml_cfg);
         assert_eq!(cfg.google_ip, "216.239.38.120");
+        assert_eq!(cfg.listen_host, "127.0.0.1");
         assert_eq!(cfg.listen_port, 8085);
         assert!(cfg.verify_ssl);
         assert!(cfg.block_doh);
@@ -1445,9 +1520,11 @@ script_id = "ABCDEF"
         assert_eq!(cfg.mode, cfg2.mode);
         assert_eq!(cfg.auth_key, cfg2.auth_key);
         assert_eq!(cfg.script_ids_resolved(), cfg2.script_ids_resolved());
+        assert_eq!(cfg.listen_host, "127.0.0.1");
+        assert_eq!(cfg.listen_host, cfg2.listen_host);
         assert_eq!(cfg.listen_port, cfg2.listen_port);
 
         let _ = std::fs::remove_file(&json_path);
         let _ = std::fs::remove_file(&toml_path);
     }
-}
+}