Allows the bridge to be in a separate server not just localhost#519
Allows the bridge to be in a separate server not just localhost#519gastonmorixe wants to merge 1 commit into
Conversation
7367978 to
a4735d1
Compare
There was a problem hiding this comment.
Pull request overview
This PR aims to allow the Bridge (and related helper tools) to be accessible beyond localhost by replacing multiple hard-coded 127.0.0.1 values with 0.0.0.0 across Go and C++ components.
Changes:
- Replaces loopback addresses with
0.0.0.0in several server listeners and client connection targets. - Updates GUI/Focus/gRPC components to use
0.0.0.0for hostnames and URLs. - Expands
.gitignoreentries (coverage output, local certs/scripts, research artifacts).
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| utils/smtp-send/main.go | Changes default SMTP client server address to 0.0.0.0. |
| utils/port-blocker/port-blocker.go | Binds port-blocker listeners to all interfaces (0.0.0.0). |
| internal/frontend/grpc/service.go | Binds gRPC listener to all interfaces (0.0.0.0:0). |
| internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/GRPCClient.cpp | Changes GUI gRPC client target/override host to 0.0.0.0. |
| internal/frontend/bridge-gui/bridgepp/bridgepp/FocusGRPC/FocusGRPCClient.cpp | Changes focus client hostname to 0.0.0.0. |
| internal/frontend/bridge-gui/bridge-gui/main.cpp | Changes default API URL host to 0.0.0.0. |
| internal/frontend/bridge-gui/bridge-gui-tester/GRPCServerWorker.cpp | Binds test gRPC server to all interfaces (0.0.0.0:0). |
| internal/focus/service.go | Changes focus service bind host constant to 0.0.0.0. |
| internal/constants/constants.go | Changes shared Host constant to 0.0.0.0. |
| internal/clientconfig/applemail_test.go | Updates disabled Apple Mail config test to use 0.0.0.0. |
| internal/certs/tls.go | Changes generated TLS cert CN/SAN and tls.Config ServerName to 0.0.0.0. |
| internal/bridge/debug.go | Changes diagnostic IMAP client dial address to 0.0.0.0. |
| .gitignore | Adds ignores for coverage dir, certs/pems, scripts, research, and /bridge. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| url.setScheme("http"); | ||
| url.setHost("127.0.0.1"); | ||
| url.setHost("0.0.0.0"); | ||
| url.setPort(1042); |
There was a problem hiding this comment.
Defaulting the API base URL host to 0.0.0.0 will break requests because 0.0.0.0 is not a valid destination address. Keep the default as 127.0.0.1/localhost, and if you need to support a remote bridge, extend the prefs override to include a host (not just a port).
| (&AppleMail{}).Configure(`0.0.0.0`, 1143, 1025, true, false, `user&>>`, `<<abc&&'"def>>`, `user&a`, []byte(`ir8R9vhdNXyB7isWzhyEkQ`)), | ||
| ) |
There was a problem hiding this comment.
This (disabled) Apple Mail configuration test now uses 0.0.0.0 as the hostname, but mail clients cannot connect to 0.0.0.0. Keep 127.0.0.1/localhost here, and if testing remote host behavior is desired, pass an explicit concrete IP/hostname.
| IPAddresses: []net.IP{net.ParseIP("0.0.0.0")}, | ||
| NotBefore: time.Now(), |
There was a problem hiding this comment.
Including 0.0.0.0 in the certificate IP SANs is not appropriate (it’s an unspecified/wildcard address, not a host clients connect to). Add SAN entries for real connect addresses (typically 127.0.0.1 and/or a configured external IP/hostname) instead of 0.0.0.0.
| return &tls.Config{ | ||
| Certificates: []tls.Certificate{c}, | ||
| ServerName: "127.0.0.1", | ||
| ServerName: "0.0.0.0", | ||
| ClientAuth: tls.VerifyClientCertIfGiven, |
There was a problem hiding this comment.
Setting tls.Config.ServerName to 0.0.0.0 will cause hostname verification issues because clients won’t connect using 0.0.0.0, and the SNI/verification name should match a real hostname/IP present in the certificate SANs. Prefer using localhost/127.0.0.1 (or a configured advertised host) consistently between cert SANs, ServerName, and the client dial target.
|
Might be nice to make this configurable? Can be hidden away as advanced option to avoid accidents, but would be more convenient than compiling and keeping the patch up to date. I have been playing with systemd socket to forward requests, so my paperless container can connect to it, but stranded at a mismatch of the hostname in the certificate (127.0.0.1 vs host.containers.internal). |
|
Yea, just add |
Allow Proton Bridge to be accessed from remote machines on the network by changing all 127.0.0.1 bindings to 0.0.0.0. This affects IMAP/SMTP listeners, gRPC services, TLS certificate generation, the Focus service, and the GUI frontend connections. Also update .gitignore to exclude local TLS certificates, build artifacts, service scripts, and research docs.
|
FWIW, I've solved this by setting up a couple of socat units as described here: https://vimoire.com/blog/2025/setting_up_protonmail_bridge_on_lan_server -- this also allows using the standard port numbers (e.g. 993 for IMAPS). No patching of proton-bridge needed. An SSL cert of your choice can be installed with |
Caution
This is not a recommended change nor use
For very few cases and advanced users or devs, this changes the hard-coded
127.0.0.1IP from multiple parts exposing the bridge to the whole network allowing connections from anywhere by changing the hard-coded IP to0.0.0.0.Do not use. Do not merge. It's just a reference for anyone who may need it for advanced or special cases.
Then build it with: