implemented bind address environment variable.

cmd/server/main.go

@@ -19,6 +19,7 @@ package main
 import (
 	"fmt"
 	"log"
+	"net"
 	"os"
 	"strconv"
 	"strings"
@@ -59,6 +60,10 @@ func main() {
 	router := gin.Default()
 	serverPort := strconv.Itoa(int(settings.Port))
 
+	// Get bind address from environment variable, defaulting to 0.0.0.0
+	bindAddress, _ := config.GetBindAddressFromEnv()
+	serverAddr := net.JoinHostPort(bindAddress, serverPort)
+
 	// Load HTML templates depending on whether the application is running inside a container.
 	_, container := os.LookupEnv("CONTAINER")
 	if container {
@@ -82,17 +87,17 @@ func main() {
 
 	// Check if LOTR mode is active
 	isLOTRMode := isLOTRModeActive(settings.AlertCountries)
-	printWelcomeBanner(serverPort, isLOTRMode)
+	printWelcomeBanner(bindAddress, serverPort, isLOTRMode)
 	if isLOTRMode {
 		log.Println("--- Middle-earth Security Realm activated ---")
 		log.Println("🎭 LOTR Mode: The guardians of Middle-earth stand ready!")
 	} else {
 		log.Println("--- Fail2Ban-UI started in", gin.Mode(), "mode ---")
 	}
-	log.Println("Server listening on port", serverPort, ".")
+	log.Printf("Server listening on %s:%s.\n", bindAddress, serverPort)
 
-	// Start the server on port 8080.
+	// Start the server on the configured address and port.
-	if err := router.Run(":" + serverPort); err != nil {
+	if err := router.Run(serverAddr); err != nil {
 		log.Fatalf("Could not start server: %v\n", err)
 	}
 }
@@ -110,7 +115,7 @@ func isLOTRModeActive(alertCountries []string) bool {
 }
 
 // printWelcomeBanner prints the Tux banner with startup info.
-func printWelcomeBanner(appPort string, isLOTRMode bool) {
+func printWelcomeBanner(bindAddress, appPort string, isLOTRMode bool) {
 	greeting := getGreeting()
 
 	if isLOTRMode {
@@ -128,11 +133,11 @@ Middle-earth Security Realm - LOTR Mode Activated
 ⚔️  The guardians of Middle-earth stand ready!  ⚔️
 Developers:   https://swissmakers.ch
 Mode:         %s
-Listening on: http://0.0.0.0:%s
+Listening on: http://%s:%s
 ══════════════════════════════════════════════════
 
 `
-		fmt.Printf(lotrBanner, greeting, gin.Mode(), appPort)
+		fmt.Printf(lotrBanner, greeting, gin.Mode(), bindAddress, appPort)
 	} else {
 		const tuxBanner = `
       .--.
@@ -147,11 +152,11 @@ Fail2Ban UI - A Swissmade Management Interface
 ----------------------------------------------
 Developers:   https://swissmakers.ch
 Mode:         %s
-Listening on: http://0.0.0.0:%s
+Listening on: http://%s:%s
 ----------------------------------------------
 
 `
-		fmt.Printf(tuxBanner, greeting, gin.Mode(), appPort)
+		fmt.Printf(tuxBanner, greeting, gin.Mode(), bindAddress, appPort)
 	}
 }
 

deployment/container/README.md

@@ -222,6 +222,7 @@ The Fail2Ban UI container requires several volume mounts to function properly. B
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `PORT` | `8080` | Port number for the web interface |
+| `BIND_ADDRESS` | `0.0.0.0` | IP address to bind the web interface to. Useful when running with host networking to prevent exposing the web UI to unprotected networks. Set to a specific IP (e.g., `127.0.0.1` or a specific interface IP) to restrict access. |
 | `CONTAINER` | `true` | Automatically set by the container (do not override) |
 
 ### First Launch Configuration

docker-compose-allinone.example.yml

@@ -32,7 +32,13 @@ services:
     privileged: true # needed because the fail2ban-ui container needs to modify the fail2ban config owned by root inside the linuxserver-fail2ban container
     network_mode: host
     environment:
+      # Optional: Change this to use a different port for the web interface (defaults is 8080)
       - PORT=3080
+      # Optional: Bind to a specific IP address (default: 0.0.0.0)
+      # This is useful when running with host networking to prevent exposing
+      # the web UI to unprotected networks. Set to a specific IP (e.g., 127.0.0.1
+      # or a specific interface IP) to restrict access.
+      # - BIND_ADDRESS=127.0.0.1
     volumes:
       # Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container
       - ./config:/config:Z

docker-compose.example.yml

@@ -14,9 +14,13 @@ services:
     network_mode: host
 
     environment:
-      # Change this to use a different port for the web interface (defaults is 8080)
+      # Optional: Change this to use a different port for the web interface (defaults is 8080)
       - PORT=8080
-
+      # Optional: Bind to a specific IP address (default: 0.0.0.0)
+      # This is useful when running with host networking to prevent exposing
+      # the web UI to unprotected networks. Set to a specific IP (e.g., 127.0.0.1
+      # or a specific interface IP) to restrict access.
+      # - BIND_ADDRESS=127.0.0.1
     volumes:
       # Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container
       - /opt/podman-fail2ban-ui:/config:Z

internal/config/settings.go

@@ -25,6 +25,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -1396,6 +1397,22 @@ func GetPortFromEnv() (int, bool) {
 	return 0, false
 }
 
+// GetBindAddressFromEnv returns the BIND_ADDRESS environment variable value if set, and whether it's set
+// If not set, returns "0.0.0.0" as the default bind address
+// Validates that the address is a valid IP address format
+func GetBindAddressFromEnv() (string, bool) {
+	bindAddrEnv := os.Getenv("BIND_ADDRESS")
+	if bindAddrEnv == "" {
+		return "0.0.0.0", false
+	}
+	// Validate that it's a valid IP address format using net.ParseIP
+	if ip := net.ParseIP(bindAddrEnv); ip != nil {
+		return bindAddrEnv, true
+	}
+	// Invalid format, return default
+	return "0.0.0.0", false
+}
+
 func GetSettings() AppSettings {
 	settingsLock.RLock()
 	defer settingsLock.RUnlock()