If you are securing your MAD setup with SSL proxies, you can change the IPs from the default listeners (MADmin, RGC and PogoDroid) to localhost. MAD opens on by default which means every network interface. But since we are using a webserver proxy, those ports don’t need to be exposed on a different interface than localhost (if nginx is running locally):

ws_ip: localhost
mitmreceiver_ip: localhost
madmin_ip: localhost

The current proxies have configuration examples:

For general security refer to General Security Advice.