From 3a57cec992d07ab323c9795d104a0e59a3cd3502 Mon Sep 17 00:00:00 2001
From: jubnl <jgunther021@gmail.com>
Date: Sun, 3 May 2026 16:38:59 +0200
Subject: [PATCH] docs(ssrf): update Internal-Network-Access wiki to reflect
 relaxed guard

Loopback, link-local, and .local/.internal hostnames are now all
overridable with ALLOW_INTERNAL_NETWORK=true (commit 9a08368). Merge
the two-tier "always blocked / conditionally blocked" structure into a
single table, add a warning about cloud metadata exposure.
---
 wiki/Internal-Network-Access.md | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/wiki/Internal-Network-Access.md b/wiki/Internal-Network-Access.md
index dc93e134..59d246c1 100644
--- a/wiki/Internal-Network-Access.md
+++ b/wiki/Internal-Network-Access.md
@@ -6,31 +6,27 @@ TREK makes outbound HTTP requests when you configure integrations such as Immich
 
 All outbound requests go through an SSRF guard (`ssrfGuard.ts`). The guard resolves the hostname to an IP address before allowing the connection and blocks addresses in private ranges.
 
-## Always blocked (no override possible)
+## Blocked unless `ALLOW_INTERNAL_NETWORK=true`
 
-These ranges are blocked regardless of any setting:
+All of the following are blocked by default and can be permitted by setting `ALLOW_INTERNAL_NETWORK=true`:
 
-| Range | Description |
+| Range / Hostname | Description |
 |---|---|
 | `127.0.0.0/8`, `::1` | Loopback |
 | `0.0.0.0/8` | Unspecified |
 | `169.254.0.0/16`, `fe80::/10` | Link-local / cloud metadata endpoints |
 | `::ffff:127.x.x.x`, `::ffff:169.254.x.x` | IPv4-mapped loopback and link-local |
-
-In addition, hostnames ending in `.local` or `.internal` are always blocked regardless of `ALLOW_INTERNAL_NETWORK`. These suffixes are readily abused for hostname-based bypasses.
-
-The hostname `localhost` is not blocked at the hostname stage, but it resolves to `127.0.0.1` which is caught by the loopback rule above and is therefore always blocked.
-
-## Blocked unless `ALLOW_INTERNAL_NETWORK=true`
-
-| Range | Description |
-|---|---|
 | `10.0.0.0/8` | RFC-1918 private |
 | `172.16.0.0/12` | RFC-1918 private |
 | `192.168.0.0/16` | RFC-1918 private |
 | `100.64.0.0/10` | CGNAT / Tailscale shared address space |
 | `fc00::/7` | IPv6 ULA |
 | IPv4-mapped RFC-1918 variants | e.g. `::ffff:10.x`, `::ffff:192.168.x` |
+| `*.local`, `*.internal` hostnames | mDNS / internal DNS suffixes |
+
+The hostname `localhost` is not blocked at the hostname stage but resolves to `127.0.0.1`, which falls under the loopback rule above.
+
+> **Warning:** `ALLOW_INTERNAL_NETWORK=true` also permits loopback and link-local addresses, including `169.254.169.254` (cloud instance metadata). Do **not** set this flag on a cloud-hosted TREK instance.
 
 ## When to enable