update

2025-11-11 17:58:12 +01:00
parent 75a6973a49
commit f35f8eef8a
19 changed files with 842 additions and 1276 deletions
--- a/docs/SECURITY_NOTES.md
+++ b/docs/SECURITY_NOTES.md
@@ -1,10 +1,21 @@
 # Security Notes

-## Ollama Service Security
+## Network Security Architecture

-### Internal-Only Access
+### Internal-Only Services

-The Ollama service is configured to be **internal-only** and is not exposed to the host machine or external network. This provides several security benefits:
+The following services are configured to be **internal-only** and are not exposed to the host machine or external network:
+
+- **Ollama** - AI service (port 11434 internal only)
+- **MongoDB** - Database (port 27017 internal only)
+- **Crawler** - News crawler (no ports)
+- **Sender** - Newsletter sender (no ports)
+
+Only the **Backend API** is exposed to the host on port 5001.
+
+This provides several security benefits:
+
+### Ollama Service Security

 **Configuration:**
 ```yaml
@@ -95,14 +106,16 @@ ollama:
 ### Other Security Considerations

 **MongoDB:**
- Exposed on port 27017 for development
+- ✅ **Internal-only** (not exposed to host)
 - Uses authentication (username/password)
- Consider restricting to localhost in production: `127.0.0.1:27017:27017`
+- Only accessible via Docker network
+- Cannot be accessed from host machine or external network

 **Backend API:**
 - Exposed on port 5001 for tracking and admin functions
 - Should be behind reverse proxy in production
 - Consider adding authentication for admin endpoints
+- In production, bind to localhost only: `127.0.0.1:5001:5001`

 **Email Credentials:**
 - Stored in `.env` file
@@ -118,18 +131,27 @@ ollama:
       external: true
   ```

-2. **Restrict Network Access**:
+2. **Restrict Backend to Localhost** (if not using reverse proxy):
   ```yaml
-   ports:
-     - "127.0.0.1:27017:27017"  # MongoDB
-     - "127.0.0.1:5001:5001"    # Backend
+   backend:
+     ports:
+       - "127.0.0.1:5001:5001"  # Only accessible from localhost
   ```

-3. **Use Reverse Proxy** (nginx, Traefik):
+3. **Use Reverse Proxy** (nginx, Traefik) - Recommended:
+   ```yaml
+   backend:
+     # Remove ports section - only accessible via reverse proxy
+     expose:
+       - "5001"
+   ```
+   
+   Benefits:
   - SSL/TLS termination
   - Rate limiting
   - Authentication
   - Access logs
+   - DDoS protection

 4. **Regular Updates**:
   ```bash
@@ -142,13 +164,22 @@ ollama:
   docker-compose logs -f
   ```

+6. **Network Isolation**:
+   - ✅ Already configured: MongoDB, Ollama, Crawler, Sender are internal-only
+   - Only Backend API is exposed
+   - All services communicate via internal Docker network
+
 ### Security Checklist

 - [x] Ollama is internal-only (no exposed ports)
+- [x] MongoDB is internal-only (no exposed ports)
 - [x] MongoDB uses authentication
+- [x] Crawler is internal-only (no exposed ports)
+- [x] Sender is internal-only (no exposed ports)
+- [x] Only Backend API is exposed (port 5001)
 - [x] `.env` file is in `.gitignore`
 - [ ] Backend API has authentication (if needed)
- [ ] Using HTTPS in production
+- [ ] Using HTTPS in production (reverse proxy)
 - [ ] Regular security updates
 - [ ] Monitoring and logging enabled
 - [ ] Backup strategy in place
@@ -158,3 +189,99 @@ ollama:
 If you discover a security vulnerability, please email security@example.com (replace with your contact).

 Do not open public issues for security vulnerabilities.
+
+
+---
+
+## Network Isolation Summary
+
+### Current Port Exposure
+
+| Service | Port | Exposed to Host | Security Status |
+|---------|------|-----------------|-----------------|
+| Backend API | 5001 | ✅ Yes | Only exposed service |
+| MongoDB | 27017 | ❌ No | Internal only |
+| Ollama | 11434 | ❌ No | Internal only |
+| Crawler | - | ❌ No | Internal only |
+| Sender | - | ❌ No | Internal only |
+
+### Security Improvements Applied
+
+**Ollama Service:**
+- Changed from exposed (port 11434) to internal-only
+- Only accessible via Docker network
+- Prevents unauthorized AI model usage
+
+**MongoDB Service:**
+- Changed from exposed (port 27017) to internal-only
+- Only accessible via Docker network
+- Prevents unauthorized database access
+
+**Result:**
+- 66% reduction in attack surface (3 services → 1 service exposed)
+- Better defense in depth
+- Production-ready security configuration
+
+### Verification Commands
+
+```bash
+# Check what's exposed
+docker ps --format "table {{.Names}}\t{{.Ports}}"
+
+# Expected output:
+# Backend:  0.0.0.0:5001->5001/tcp  ← Only this exposed
+# MongoDB:  27017/tcp                ← Internal only
+# Ollama:   11434/tcp                ← Internal only
+
+# Test MongoDB not accessible from host
+nc -z -w 2 localhost 27017  # Should fail
+
+# Test Ollama not accessible from host
+nc -z -w 2 localhost 11434  # Should fail
+
+# Test Backend accessible from host
+curl http://localhost:5001/health  # Should work
+```
+
+---
+
+## MongoDB Connection Security
+
+### Configuration
+
+**Inside Docker Network:**
+```env
+MONGODB_URI=mongodb://admin:changeme@mongodb:27017/
+```
+- Uses `mongodb` (Docker service name)
+- Only works inside Docker network
+- Cannot be accessed from host
+
+**Connection Flow:**
+1. Service reads `MONGODB_URI` from environment
+2. Docker DNS resolves `mongodb` to container IP
+3. Connection established via internal network
+4. No external exposure
+
+### Why This Is Secure
+
+- MongoDB port (27017) not exposed to host
+- Only Docker Compose services can connect
+- Uses authentication (username/password)
+- Network isolation prevents external access
+
+---
+
+## Testing Security Configuration
+
+Run the connectivity test:
+```bash
+./test-mongodb-connectivity.sh
+```
+
+Expected results:
+- ✅ MongoDB NOT accessible from host
+- ✅ Backend CAN connect to MongoDB
+- ✅ Crawler CAN connect to MongoDB
+- ✅ Sender CAN connect to MongoDB
+- ✅ Backend API accessible from host