update
This commit is contained in:
160
docs/SECURITY_NOTES.md
Normal file
160
docs/SECURITY_NOTES.md
Normal file
@@ -0,0 +1,160 @@
|
||||
# Security Notes
|
||||
|
||||
## Ollama Service Security
|
||||
|
||||
### Internal-Only Access
|
||||
|
||||
The Ollama service is configured to be **internal-only** and is not exposed to the host machine or external network. This provides several security benefits:
|
||||
|
||||
**Configuration:**
|
||||
```yaml
|
||||
# Ollama service has NO ports exposed
|
||||
ollama:
|
||||
image: ollama/ollama:latest
|
||||
# No ports section - internal only
|
||||
networks:
|
||||
- munich-news-network
|
||||
```
|
||||
|
||||
**Benefits:**
|
||||
1. **No External Access**: Ollama API cannot be accessed from outside Docker network
|
||||
2. **Reduced Attack Surface**: Service is not exposed to potential external threats
|
||||
3. **Network Isolation**: Only authorized Docker Compose services can communicate with Ollama
|
||||
4. **No Port Conflicts**: Port 11434 is not bound to host machine
|
||||
|
||||
### Accessing Ollama
|
||||
|
||||
**From Docker Compose Services (✓ Allowed):**
|
||||
```bash
|
||||
# Services use internal Docker network
|
||||
OLLAMA_BASE_URL=http://ollama:11434
|
||||
```
|
||||
|
||||
**From Host Machine (✗ Not Allowed):**
|
||||
```bash
|
||||
# This will NOT work - port not exposed
|
||||
curl http://localhost:11434/api/tags
|
||||
# Connection refused
|
||||
```
|
||||
|
||||
**From Inside Containers (✓ Allowed):**
|
||||
```bash
|
||||
# Access from another container
|
||||
docker-compose exec crawler curl http://ollama:11434/api/tags
|
||||
```
|
||||
|
||||
### Why This Matters
|
||||
|
||||
**Security Risks of Exposed Ollama:**
|
||||
- Unauthorized access to AI models
|
||||
- Potential for abuse (resource consumption)
|
||||
- Information disclosure through prompts
|
||||
- No authentication by default
|
||||
- Could be used for unintended purposes
|
||||
|
||||
**With Internal-Only Configuration:**
|
||||
- Only your trusted services can access Ollama
|
||||
- No external attack vector
|
||||
- Controlled usage within your application
|
||||
- Better resource management
|
||||
|
||||
### Testing Ollama
|
||||
|
||||
Since Ollama is internal-only, you must test from inside the Docker network:
|
||||
|
||||
```bash
|
||||
# ✓ Correct way - from inside a container
|
||||
docker-compose exec crawler curl -s http://ollama:11434/api/tags
|
||||
|
||||
# ✓ Test translation
|
||||
docker-compose exec crawler python crawler_service.py 1
|
||||
|
||||
# ✓ Check logs
|
||||
docker-compose logs ollama
|
||||
```
|
||||
|
||||
### If You Need External Access
|
||||
|
||||
If you have a specific need to access Ollama from the host machine (e.g., development, debugging), you can temporarily expose it:
|
||||
|
||||
**Option 1: Temporary Port Forward**
|
||||
```bash
|
||||
# Forward port temporarily (stops when you press Ctrl+C)
|
||||
docker exec -it munich-news-ollama socat TCP-LISTEN:11434,fork TCP:localhost:11434 &
|
||||
```
|
||||
|
||||
**Option 2: Add Ports to docker-compose.yml (Not Recommended)**
|
||||
```yaml
|
||||
ollama:
|
||||
ports:
|
||||
- "127.0.0.1:11434:11434" # Only bind to localhost, not 0.0.0.0
|
||||
```
|
||||
|
||||
**⚠️ Warning:** Only expose Ollama if absolutely necessary, and always bind to `127.0.0.1` (localhost only), never `0.0.0.0` (all interfaces).
|
||||
|
||||
### Other Security Considerations
|
||||
|
||||
**MongoDB:**
|
||||
- Exposed on port 27017 for development
|
||||
- Uses authentication (username/password)
|
||||
- Consider restricting to localhost in production: `127.0.0.1:27017:27017`
|
||||
|
||||
**Backend API:**
|
||||
- Exposed on port 5001 for tracking and admin functions
|
||||
- Should be behind reverse proxy in production
|
||||
- Consider adding authentication for admin endpoints
|
||||
|
||||
**Email Credentials:**
|
||||
- Stored in `.env` file
|
||||
- Never commit `.env` to version control
|
||||
- Use environment variables in production
|
||||
|
||||
### Production Recommendations
|
||||
|
||||
1. **Use Docker Secrets** for sensitive data:
|
||||
```yaml
|
||||
secrets:
|
||||
mongo_password:
|
||||
external: true
|
||||
```
|
||||
|
||||
2. **Restrict Network Access**:
|
||||
```yaml
|
||||
ports:
|
||||
- "127.0.0.1:27017:27017" # MongoDB
|
||||
- "127.0.0.1:5001:5001" # Backend
|
||||
```
|
||||
|
||||
3. **Use Reverse Proxy** (nginx, Traefik):
|
||||
- SSL/TLS termination
|
||||
- Rate limiting
|
||||
- Authentication
|
||||
- Access logs
|
||||
|
||||
4. **Regular Updates**:
|
||||
```bash
|
||||
docker-compose pull
|
||||
docker-compose up -d
|
||||
```
|
||||
|
||||
5. **Monitor Logs**:
|
||||
```bash
|
||||
docker-compose logs -f
|
||||
```
|
||||
|
||||
### Security Checklist
|
||||
|
||||
- [x] Ollama is internal-only (no exposed ports)
|
||||
- [x] MongoDB uses authentication
|
||||
- [x] `.env` file is in `.gitignore`
|
||||
- [ ] Backend API has authentication (if needed)
|
||||
- [ ] Using HTTPS in production
|
||||
- [ ] Regular security updates
|
||||
- [ ] Monitoring and logging enabled
|
||||
- [ ] Backup strategy in place
|
||||
|
||||
## Reporting Security Issues
|
||||
|
||||
If you discover a security vulnerability, please email security@example.com (replace with your contact).
|
||||
|
||||
Do not open public issues for security vulnerabilities.
|
||||
Reference in New Issue
Block a user