Self-hosting (optional)
Optional path. The default recommendation is still local-only use. If you expose access remotely, put nginx in front and require auth.
1) Run Link Garden on localhost
link-garden serve --repo-dir /srv/link-garden --port 8000Keep secure defaults in config.yaml:
server_bind_host: 127.0.0.1
require_allow_remote: true
serve_default_scope: public2) nginx reverse proxy example
server {
listen 80;
server_name links.example.com;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}3) Add authentication at the proxy
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}Add TLS and firewall rules before internet-facing use.
4) Hardening checklist
- Use HTTPS/TLS for remote access.
- Require authentication (Basic Auth or stronger) at nginx.
- Do not expose the internal app port directly.
- Use rate limits and firewall restrictions.
- Run
link-garden doctorbefore publishing exports.
For the full project guidance, read docs/self-hosting.md.