diff --git a/.travis.yml b/.travis.yml
index 041b45aa..972a1c6a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,7 +1,7 @@
 language: go
 
 go:
-    - "1.10.x"
+    - "1.11.x"
 
 install: make deps
 
diff --git a/irc/config.go b/irc/config.go
index b29713c3..18a6edb2 100644
--- a/irc/config.go
+++ b/irc/config.go
@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
@@ -212,6 +213,7 @@ type Config struct {
 		Name                string
 		nameCasefolded      string
 		Listen              []string
+		UnixBindMode        os.FileMode                 `yaml:"unix-bind-mode"`
 		TLSListeners        map[string]*TLSListenConfig `yaml:"tls-listeners"`
 		STS                 STSConfig
 		CheckIdent          bool `yaml:"check-ident"`
@@ -240,9 +242,9 @@ type Config struct {
 	Accounts AccountConfig
 
 	Channels struct {
-		RawDefaultModes *string `yaml:"default-modes"`
-		defaultModes    modes.Modes
-		Registration    ChannelRegistrationConfig
+		DefaultModes *string `yaml:"default-modes"`
+		defaultModes modes.Modes
+		Registration ChannelRegistrationConfig
 	}
 
 	OperClasses map[string]*OperClassConfig `yaml:"oper-classes"`
@@ -697,7 +699,7 @@ func LoadConfig(filename string) (config *Config, err error) {
 	config.operators = opers
 
 	// parse default channel modes
-	config.Channels.defaultModes = ParseDefaultChannelModes(config.Channels.RawDefaultModes)
+	config.Channels.defaultModes = ParseDefaultChannelModes(config.Channels.DefaultModes)
 
 	if config.Server.Password != "" {
 		config.Server.passwordBytes, err = decodeLegacyPasswordHash(config.Server.Password)
diff --git a/irc/database.go b/irc/database.go
index b617fe3f..d820879f 100644
--- a/irc/database.go
+++ b/irc/database.go
@@ -255,7 +255,7 @@ func schemaChangeV2ToV3(config *Config, tx *buntdb.Tx) error {
 	}
 
 	// explicitly store the channel modes
-	defaultModes := ParseDefaultChannelModes(config.Channels.RawDefaultModes)
+	defaultModes := config.Channels.defaultModes
 	modeStrings := make([]string, len(defaultModes))
 	for i, mode := range defaultModes {
 		modeStrings[i] = string(mode)
diff --git a/irc/handlers.go b/irc/handlers.go
index a89b44dd..1444ef47 100644
--- a/irc/handlers.go
+++ b/irc/handlers.go
@@ -2411,6 +2411,11 @@ func webircHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Re
 				}
 
 				proxiedIP := msg.Params[3]
+				// see #211; websocket gateways will wrap ipv6 addresses in square brackets
+				// because IRC parameters can't start with :
+				if strings.HasPrefix(proxiedIP, "[") && strings.HasSuffix(proxiedIP, "]") {
+					proxiedIP = proxiedIP[1 : len(proxiedIP)-1]
+				}
 				return client.ApplyProxiedIP(proxiedIP, secure)
 			}
 		}
diff --git a/irc/server.go b/irc/server.go
index 2ff68cae..8c7c9328 100644
--- a/irc/server.go
+++ b/irc/server.go
@@ -309,7 +309,7 @@ func (server *Server) checkBans(ipaddr net.IP) (banned bool, message string) {
 //
 
 // createListener starts a given listener.
-func (server *Server) createListener(addr string, tlsConfig *tls.Config) (*ListenerWrapper, error) {
+func (server *Server) createListener(addr string, tlsConfig *tls.Config, bindMode os.FileMode) (*ListenerWrapper, error) {
 	// make listener
 	var listener net.Listener
 	var err error
@@ -318,6 +318,9 @@ func (server *Server) createListener(addr string, tlsConfig *tls.Config) (*Liste
 		// https://stackoverflow.com/a/34881585
 		os.Remove(addr)
 		listener, err = net.Listen("unix", addr)
+		if err == nil && bindMode != 0 {
+			os.Chmod(addr, bindMode)
+		}
 	} else {
 		listener, err = net.Listen("tcp", addr)
 	}
@@ -1033,7 +1036,7 @@ func (server *Server) setupListeners(config *Config) (err error) {
 		if !exists {
 			// make new listener
 			tlsConfig := tlsListeners[newaddr]
-			listener, listenerErr := server.createListener(newaddr, tlsConfig)
+			listener, listenerErr := server.createListener(newaddr, tlsConfig, config.Server.UnixBindMode)
 			if listenerErr != nil {
 				server.logger.Error("rehash", "couldn't listen on", newaddr, listenerErr.Error())
 				err = listenerErr
diff --git a/oragono.yaml b/oragono.yaml
index aff1604a..a9a3dbe7 100644
--- a/oragono.yaml
+++ b/oragono.yaml
@@ -16,9 +16,15 @@ server:
         - "127.0.0.1:6668"
         - "[::1]:6668"
         - ":6697" # ssl port
-        # unix domain socket for proxying:
+        # Unix domain socket for proxying:
         # - "/tmp/oragono_sock"
 
+    # sets the permissions for Unix listen sockets. on a typical Linux system,
+    # the default is 0775 or 0755, which prevents other users/groups from connecting
+    # to the socket. With 0777, it behaves like a normal TCP socket
+    # where anyone can connect.
+    unix-bind-mode: 0777
+
     # tls listeners
     tls-listeners:
         # listener on ":6697"