mirror of
https://github.com/actualbudget/actual.git
synced 2026-07-16 15:14:02 -05:00
[Feature] Support binding to Unix domain sockets #2797
Closed
opened 2026-02-28 20:28:34 -06:00 by GiteaMirror
·
1 comment
No Branch/Tag Specified
master
claude/verify-migration-guardrails-i82c8m
cross-version-sync-stage2
api-browser-custom-data-dir
dependabot/npm_and_yarn/npm_and_yarn-cd62b4b37a
tabedzki/feat/replacing-month-picker-with-day-picker
delay-initial-sync-until-loaded
jfdoming/mobile-app-build
cross-version-sync-compat
jfdoming/api-tokens-part-1
jfdoming/api-tokens-part-2
jfdoming/api-tokens-part-3
jfdoming/mobile-app-updates
claude/budget-version-migration-compat-151jlr
claude/worker-error-serialization-9iqtl7
claude/react-table-library-research-afx83z
claude/issue-8401-regression-test-9nw9l3
jfdoming/mobile-app-foundation-part-1
jfdoming/mobile-app-scaffold
release
ai-fix-cleanup-def-8290
claude/relaxed-shannon-jusywa
claude/fervent-keller-s6f2fq
claude/determined-feynman-st1y9z
claude/wizardly-einstein-vi2wce
claude/sweet-albattani-7nseio
feat/bank-sync-per-budget-file
claude/affectionate-cannon-y0kc82
claude/dependabot-findings-m9pgmb
claude/mac-app-ios-publish-zjs1lz
claude/vigilant-tesla-aiiyos
depot-migrate-secrets-1781296330308
claude/quirky-cerf-v5qck7
claude/animation-removal-alternative-2etfh1
claude/netlify-preview-comments-consolidate-9XPYa
osc/7391-error-boundaries-reports
claude/pensive-dijkstra-7DYui
claude/server-app-version-mismatch-HTCGv
claude/pr-8027-review-feedback-mELuO
claude/zealous-wozniak-e5pO0
claude/intelligent-heisenberg-BSHJq
claude/translation-download-refactor-jFRsO
claude/mobile-performance-ideas-G9PAO
claude/github-issue-7988-5A5ly
blacksmith-migration-ff70d2d
claude/great-mayer-KRvOk
claude/react-native-ios-compilation-fcJh5
claude/serene-goldberg-58xv0
claude/kind-euler-LVG3K
release-automation/edge-nightly
7710-bundle-migrations
claude/fix-docker-build-error-WMfed
claude/llm-compatible-release-notes-t20Nr
7710-tests-tdd
cursor/transaction-table-rewrite-f077
claude/plan-ci-secure-context-OtEe1
claude/fix-issue-7667-DPXi3
cursor/resolve-pr-7449-ee11
claude/fix-typescript-build-error-JPtZ5
copilot/add-repository-configs-to-packages
worktree-compressed-drifting-ritchie
claude/api-consumer-verification-kfz1K
pr-7454
claude/fix-issue-7410-LLLQ4
revert-7281-generate-icons
react-query-useSchedules
copilot/sub-pr-6140
package-upgrades
v26.7.0
v26.6.0
v26.5.2
v26.5.1
v26.5.0
v26.4.0
v26.3.0
v26.2.1
v26.2.0
v26.1.0
v25.12.0
v25.11.0
v25.10.0
v25.9.0
v25.8.0
v25.7.1
v25.7.0
v25.6.1
v25.6.0
v25.5.0
v25.4.0
v25.3.1
v25.3.0
v25.2.1
v25.2.0
v25.1.0
v24.12.0
v24.11.0
v24.10.1
v24.10.0
v24.9.0
v24.8.0
v24.7.0
v24.6.0
v24.5.0
v24.4.0
v24.3.0
v24.2.0
v24.1.0
v23.12.0
v23.11.0
v23.10.0
v23.9.0
v23.8.1
v23.8.0
v23.7.2
v23.7.1
v23.7.0
v23.6.0
v23.5.0
v23.4.2
v23.4.1
v23.4.0
v23.3.2
v23.3.0
v23.2.9
v23.2.5
v23.1.12
v22.12.9
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
regression
reports
responsive
rules
schedules
server
✨ merged
split transactions
tech debt
tech-support
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
✅ approved
wontfix
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/actual#2797
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Valloric on GitHub (Jan 9, 2026).
Verified feature request does not already exist?
💻
Pitch: what problem are you trying to solve?
I have a reverse proxy (Caddy) running with a service-specific unprivileged user (caddy). I want to limit connections to the Actual Budget server to processes owned by the caddy user, to improve security in case of system compromise.
If a process is listening on
localhost:1234, then any local process can connect to it, no matter which (Unix) user is the owner of the server or client process. This increases the attack surface for Actual Budget if some process on the host is compromised.Describe your ideal solution to this problem
Looking at the Actual Budget server configuration, it does not appear to be possible to configure the Actual Budget server to listen on a Unix domain socket instead of an IP and port number.
The usecase for UDS connection is connecting Actual over UDS to a reverse proxy running on the same host.
A UDS is the best way to connect processes running on the same host as it is 2-3x faster (it skips all the TCP and IP overhead since the kernel can just copy bytes from one process to the other) and more secure than listening on localhost. A UDS is represented as a file on the filesystem and can be protected with common filesystem permissions (or even POSIX ACLs). Note: no bytes actually pass through the filesystem or end up on disk; the UDS “file” is just a reference to an in-kernel object.
If some process on the host is compromised, when Actual is listening on a UDS that is configured to be accessible only to the user running the reverse proxy, Actual remains inaccessible to the compromised process (unless that process is the reverse proxy itself).
Please disregard any HTTP level authentication for a moment as the UDS provides a different and lower level of protection which is great for defense-in-depth and the principle of least privilege. For instance, even with Actual’s authentication, it would be unwise to expose a homelab Actual to the Internet; reducing access to only what is necessary results in more secure systems.
This should be simple to implement because Node supports binding to UDS; Actual just needs to support passing a socket path down to Node.
Teaching and learning
The Actual configuration docs should mention that Actual can bind to UDS and should recommend this approach when using a reverse proxy on the same host due to performance and security benefits. Every popular reverse proxy already supports connecting to UDS endpoints.
@github-actions[bot] commented on GitHub (Jan 9, 2026):
✨ Thanks for sharing your idea! ✨
This repository uses a voting-based system for feature requests. While enhancement issues are automatically closed, we still welcome feature requests! The voting system helps us gauge community interest in potential features. We also encourage community contributions for any feature requests marked as needing votes (just post a comment first so we can help guide you toward a successful contribution).
The enhancement backlog can be found here: https://github.com/actualbudget/actual/issues?q=label%3A%22needs+votes%22+sort%3Areactions-%2B1-desc+
Don't forget to upvote the top comment with 👍!