# Security Notes ## Ollama Service Security ### Internal-Only Access The Ollama service is configured to be **internal-only** and is not exposed to the host machine or external network. This provides several security benefits: **Configuration:** ```yaml # Ollama service has NO ports exposed ollama: image: ollama/ollama:latest # No ports section - internal only networks: - munich-news-network ``` **Benefits:** 1. **No External Access**: Ollama API cannot be accessed from outside Docker network 2. **Reduced Attack Surface**: Service is not exposed to potential external threats 3. **Network Isolation**: Only authorized Docker Compose services can communicate with Ollama 4. **No Port Conflicts**: Port 11434 is not bound to host machine ### Accessing Ollama **From Docker Compose Services (✓ Allowed):** ```bash # Services use internal Docker network OLLAMA_BASE_URL=http://ollama:11434 ``` **From Host Machine (✗ Not Allowed):** ```bash # This will NOT work - port not exposed curl http://localhost:11434/api/tags # Connection refused ``` **From Inside Containers (✓ Allowed):** ```bash # Access from another container docker-compose exec crawler curl http://ollama:11434/api/tags ``` ### Why This Matters **Security Risks of Exposed Ollama:** - Unauthorized access to AI models - Potential for abuse (resource consumption) - Information disclosure through prompts - No authentication by default - Could be used for unintended purposes **With Internal-Only Configuration:** - Only your trusted services can access Ollama - No external attack vector - Controlled usage within your application - Better resource management ### Testing Ollama Since Ollama is internal-only, you must test from inside the Docker network: ```bash # ✓ Correct way - from inside a container docker-compose exec crawler curl -s http://ollama:11434/api/tags # ✓ Test translation docker-compose exec crawler python crawler_service.py 1 # ✓ Check logs docker-compose logs ollama ``` ### If You Need External Access If you have a specific need to access Ollama from the host machine (e.g., development, debugging), you can temporarily expose it: **Option 1: Temporary Port Forward** ```bash # Forward port temporarily (stops when you press Ctrl+C) docker exec -it munich-news-ollama socat TCP-LISTEN:11434,fork TCP:localhost:11434 & ``` **Option 2: Add Ports to docker-compose.yml (Not Recommended)** ```yaml ollama: ports: - "127.0.0.1:11434:11434" # Only bind to localhost, not 0.0.0.0 ``` **⚠️ Warning:** Only expose Ollama if absolutely necessary, and always bind to `127.0.0.1` (localhost only), never `0.0.0.0` (all interfaces). ### Other Security Considerations **MongoDB:** - Exposed on port 27017 for development - Uses authentication (username/password) - Consider restricting to localhost in production: `127.0.0.1:27017:27017` **Backend API:** - Exposed on port 5001 for tracking and admin functions - Should be behind reverse proxy in production - Consider adding authentication for admin endpoints **Email Credentials:** - Stored in `.env` file - Never commit `.env` to version control - Use environment variables in production ### Production Recommendations 1. **Use Docker Secrets** for sensitive data: ```yaml secrets: mongo_password: external: true ``` 2. **Restrict Network Access**: ```yaml ports: - "127.0.0.1:27017:27017" # MongoDB - "127.0.0.1:5001:5001" # Backend ``` 3. **Use Reverse Proxy** (nginx, Traefik): - SSL/TLS termination - Rate limiting - Authentication - Access logs 4. **Regular Updates**: ```bash docker-compose pull docker-compose up -d ``` 5. **Monitor Logs**: ```bash docker-compose logs -f ``` ### Security Checklist - [x] Ollama is internal-only (no exposed ports) - [x] MongoDB uses authentication - [x] `.env` file is in `.gitignore` - [ ] Backend API has authentication (if needed) - [ ] Using HTTPS in production - [ ] Regular security updates - [ ] Monitoring and logging enabled - [ ] Backup strategy in place ## Reporting Security Issues If you discover a security vulnerability, please email security@example.com (replace with your contact). Do not open public issues for security vulnerabilities.