Munich-news/docs/SECURITY_NOTES.md

Security Notes

Ollama Service Security

Internal-Only Access

The Ollama service is configured to be internal-only and is not exposed to the host machine or external network. This provides several security benefits:

Configuration:

# Ollama service has NO ports exposed
ollama:
  image: ollama/ollama:latest
  # No ports section - internal only
  networks:
    - munich-news-network

Benefits:

1. No External Access: Ollama API cannot be accessed from outside Docker network
2. Reduced Attack Surface: Service is not exposed to potential external threats
3. Network Isolation: Only authorized Docker Compose services can communicate with Ollama
4. No Port Conflicts: Port 11434 is not bound to host machine

Accessing Ollama

From Docker Compose Services (✓ Allowed):

# Services use internal Docker network
OLLAMA_BASE_URL=http://ollama:11434

From Host Machine (✗ Not Allowed):

# This will NOT work - port not exposed
curl http://localhost:11434/api/tags
# Connection refused

From Inside Containers (✓ Allowed):

# Access from another container
docker-compose exec crawler curl http://ollama:11434/api/tags

Why This Matters

Security Risks of Exposed Ollama:

• Unauthorized access to AI models
• Potential for abuse (resource consumption)
• Information disclosure through prompts
• No authentication by default
• Could be used for unintended purposes

With Internal-Only Configuration:

• Only your trusted services can access Ollama
• No external attack vector
• Controlled usage within your application
• Better resource management

Testing Ollama

Since Ollama is internal-only, you must test from inside the Docker network:

# ✓ Correct way - from inside a container
docker-compose exec crawler curl -s http://ollama:11434/api/tags

# ✓ Test translation
docker-compose exec crawler python crawler_service.py 1

# ✓ Check logs
docker-compose logs ollama

If You Need External Access

If you have a specific need to access Ollama from the host machine (e.g., development, debugging), you can temporarily expose it:

Option 1: Temporary Port Forward

# Forward port temporarily (stops when you press Ctrl+C)
docker exec -it munich-news-ollama socat TCP-LISTEN:11434,fork TCP:localhost:11434 &

Option 2: Add Ports to docker-compose.yml (Not Recommended)

ollama:
  ports:
    - "127.0.0.1:11434:11434"  # Only bind to localhost, not 0.0.0.0

⚠️ Warning: Only expose Ollama if absolutely necessary, and always bind to 127.0.0.1 (localhost only), never 0.0.0.0 (all interfaces).

Other Security Considerations

MongoDB:

• Exposed on port 27017 for development
• Uses authentication (username/password)
• Consider restricting to localhost in production: 127.0.0.1:27017:27017

Backend API:

• Exposed on port 5001 for tracking and admin functions
• Should be behind reverse proxy in production
• Consider adding authentication for admin endpoints

Email Credentials:

• Stored in .env file
• Never commit .env to version control
• Use environment variables in production

Production Recommendations

1. Use Docker Secrets for sensitive data:

   secrets:
     mongo_password:
       external: true
   

2. Restrict Network Access:

   ports:
     - "127.0.0.1:27017:27017"  # MongoDB
     - "127.0.0.1:5001:5001"    # Backend
   

3. Use Reverse Proxy (nginx, Traefik):

   • SSL/TLS termination
   • Rate limiting
   • Authentication
   • Access logs

4. Regular Updates:

   docker-compose pull
   docker-compose up -d
   

5. Monitor Logs:

   docker-compose logs -f
   

Security Checklist

• Ollama is internal-only (no exposed ports)
• MongoDB uses authentication
• .env file is in .gitignore
• Backend API has authentication (if needed)
• Using HTTPS in production
• Regular security updates
• Monitoring and logging enabled
• Backup strategy in place

Reporting Security Issues

If you discover a security vulnerability, please email security@example.com (replace with your contact).

Do not open public issues for security vulnerabilities.