dongho/Munich-news
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
75a6973a49c90bd005fd1aeb1179072336e75d7b
Munich-news/docs/SECURITY_NOTES.md
Dongho Kim 75a6973a49 update
2025-11-11 17:40:29 +01:00

161 lines
4.2 KiB
Markdown
Raw Blame History

# Security Notes
## Ollama Service Security
### Internal-Only Access
The Ollama service is configured to be **internal-only** and is not exposed to the host machine or external network. This provides several security benefits:
**Configuration:**
```yaml
# Ollama service has NO ports exposed
ollama:
image: ollama/ollama:latest
# No ports section - internal only
networks:
- munich-news-network
```
**Benefits:**
1. **No External Access**: Ollama API cannot be accessed from outside Docker network
2. **Reduced Attack Surface**: Service is not exposed to potential external threats
3. **Network Isolation**: Only authorized Docker Compose services can communicate with Ollama
4. **No Port Conflicts**: Port 11434 is not bound to host machine
### Accessing Ollama
**From Docker Compose Services (✓ Allowed):**
```bash
# Services use internal Docker network
OLLAMA_BASE_URL=http://ollama:11434
```
**From Host Machine (✗ Not Allowed):**
```bash
# This will NOT work - port not exposed
curl http://localhost:11434/api/tags
# Connection refused
```
**From Inside Containers (✓ Allowed):**
```bash
# Access from another container
docker-compose exec crawler curl http://ollama:11434/api/tags
```
### Why This Matters
**Security Risks of Exposed Ollama:**
- Unauthorized access to AI models
- Potential for abuse (resource consumption)
- Information disclosure through prompts
- No authentication by default
- Could be used for unintended purposes
**With Internal-Only Configuration:**
- Only your trusted services can access Ollama
- No external attack vector
- Controlled usage within your application
- Better resource management
### Testing Ollama
Since Ollama is internal-only, you must test from inside the Docker network:
```bash
# ✓ Correct way - from inside a container
docker-compose exec crawler curl -s http://ollama:11434/api/tags
# ✓ Test translation
docker-compose exec crawler python crawler_service.py 1
# ✓ Check logs
docker-compose logs ollama
```
### If You Need External Access
If you have a specific need to access Ollama from the host machine (e.g., development, debugging), you can temporarily expose it:
**Option 1: Temporary Port Forward**
```bash
# Forward port temporarily (stops when you press Ctrl+C)
docker exec -it munich-news-ollama socat TCP-LISTEN:11434,fork TCP:localhost:11434 &
```
**Option 2: Add Ports to docker-compose.yml (Not Recommended)**
```yaml
ollama:
ports:
- "127.0.0.1:11434:11434" # Only bind to localhost, not 0.0.0.0
```
**⚠️ Warning:** Only expose Ollama if absolutely necessary, and always bind to `127.0.0.1` (localhost only), never `0.0.0.0` (all interfaces).
### Other Security Considerations
**MongoDB:**
- Exposed on port 27017 for development
- Uses authentication (username/password)
- Consider restricting to localhost in production: `127.0.0.1:27017:27017`
**Backend API:**
- Exposed on port 5001 for tracking and admin functions
- Should be behind reverse proxy in production
- Consider adding authentication for admin endpoints
**Email Credentials:**
- Stored in `.env` file
- Never commit `.env` to version control
- Use environment variables in production
### Production Recommendations
1. **Use Docker Secrets** for sensitive data:
```yaml
secrets:
mongo_password:
external: true
```
2. **Restrict Network Access**:
```yaml
ports:
- "127.0.0.1:27017:27017" # MongoDB
- "127.0.0.1:5001:5001" # Backend
```
3. **Use Reverse Proxy** (nginx, Traefik):
- SSL/TLS termination
- Rate limiting
- Authentication
- Access logs
4. **Regular Updates**:
```bash
docker-compose pull
docker-compose up -d
```
5. **Monitor Logs**:
```bash
docker-compose logs -f
```
### Security Checklist
- [x] Ollama is internal-only (no exposed ports)
- [x] MongoDB uses authentication
- [x] `.env` file is in `.gitignore`
- [ ] Backend API has authentication (if needed)
- [ ] Using HTTPS in production
- [ ] Regular security updates
- [ ] Monitoring and logging enabled
- [ ] Backup strategy in place
## Reporting Security Issues
If you discover a security vulnerability, please email security@example.com (replace with your contact).
Do not open public issues for security vulnerabilities.
Reference in New Issue View Git Blame Copy Permalink