fix: bind DevOps dashboard ports to loopback

2026-05-27 21:55:46 +00:00 · 2026-05-27 21:55:46 +00:00 · 44fd6a462a
commit 44fd6a462a
parent f936c2231c
3 changed files with 28 additions and 6 deletions
--- a/dashboard/docker-compose.yml
+++ b/dashboard/docker-compose.yml
@ -26,7 +26,7 @@ services:
      - VM_SCRIPTS_PATH=/vm-scripts/VMs/HostingerVM
      - VM_LOG_DIR=/host-logs
    ports:
-      - '4004:4004'
+      - '127.0.0.1:4004:4004'
    networks:
      - default
      - platform_net
@ -65,7 +65,7 @@ services:
        NEXT_PUBLIC_DEVOPS_API_URL: https://api.bytelyst.com/devops
    container_name: devops-web
    ports:
-      - '3049:3000'
+      - '127.0.0.1:3049:3000'
    networks:
      - default
      - platform_net
--- a/docs/vm-exposure-inventory.md
+++ b/docs/vm-exposure-inventory.md
@ -62,7 +62,7 @@ These listeners were bound on `0.0.0.0` and/or `[::]` during review.
 | `3030` | `chronomind-web` | `/root/bytelyst.ai/repos/learning_ai_clock/docker-compose.yml` | `clock.bytelyst.com` | `public-caddy` | Bound to `127.0.0.1` on 2026-05-27; keep Caddy route |
 | `3035` | `jarvisjr-web` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | none found in Caddy | `loopback-only` | Bound to `127.0.0.1` on 2026-05-27; still needs public/private product decision |
 | `3040` | `flowmonk-web` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | none found in Caddy | `loopback-only` | Bound to `127.0.0.1` on 2026-05-27; still needs public/private product decision |
-| `3049` | `devops-web` | `/opt/bytelyst/bytelyst-devops-tools/dashboard/docker-compose.yml` | `devops.bytelyst.com` | `private-admin` with direct bypass | Fix old repo path drift, then bind loopback/private |
+| `3049` | `devops-web` | `/opt/bytelyst/learning_ai_devops_tools/dashboard/docker-compose.yml` | `devops.bytelyst.com` | `private-admin` | Bound to `127.0.0.1` on 2026-05-27; still needs auth/private gate for Caddy route |
 | `3050` | `mindlyst-web` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | none found in Caddy | `loopback-only` | Bound to `127.0.0.1` on 2026-05-27; still needs public/private product decision |
 | `3055` | `nomgap-web` | orphan from older `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | none found in Caddy | `retire` | Retired on 2026-05-27; current Compose says Nomgap web is deployed to Vercel |
 | `3060` | `actiontrail-web` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | none found in Caddy | `loopback-only` | Bound to `127.0.0.1` on 2026-05-27; still needs public/private product decision |
@ -71,7 +71,7 @@ These listeners were bound on `0.0.0.0` and/or `[::]` during review.
 | `3085` | `invttrdg-web` | `/opt/bytelyst/learning_ai_invt_trdg/docker-compose.yml` | `invttrdg.bytelyst.com` | `public-caddy` | Bound to `127.0.0.1` on 2026-05-27; keep Caddy route |
 | `3100` | `loki` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | none found in Caddy | `loopback-only` | Bound to `127.0.0.1` on 2026-05-27 |
 | `3300` | `gitea-npm-registry` | non-Compose container labels absent | `gitea.bytelyst.com` | `public-caddy` with direct bypass | Bind loopback or private; keep Caddy route |
-| `4004` | `devops-backend` | `/opt/bytelyst/learning_ai_devops_tools/dashboard/docker-compose.yml` | `api.bytelyst.com/devops/*` | `private-admin` with direct bypass | Bind loopback/private |
+| `4004` | `devops-backend` | `/opt/bytelyst/learning_ai_devops_tools/dashboard/docker-compose.yml` | `api.bytelyst.com/devops/*` | `private-admin` | Bound to `127.0.0.1` on 2026-05-27; still needs auth/private gate for Caddy route |
 | `4010` | `peakpulse-backend` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | `api.bytelyst.com/peakpulse/*` | `public-caddy` | Host port removed by Compose recreate on 2026-05-27; keep Caddy route |
 | `4011` | `chronomind-backend` | `/root/bytelyst.ai/repos/learning_ai_clock/docker-compose.yml` | `api.bytelyst.com/chronomind/*` | `public-caddy` | Bound to `127.0.0.1` on 2026-05-27; keep Caddy route |
 | `4012` | `jarvisjr-backend` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | `api.bytelyst.com/jarvisjr/*` | `public-caddy` | Host port removed by Compose recreate on 2026-05-27; keep Caddy route |
@ -114,8 +114,7 @@ These listeners were bound on `0.0.0.0` and/or `[::]` during review.
 ## Drift / Follow-Up Findings
 - `nomgap-web` was an orphan from an older Compose revision, had no Caddy route, and was retired on 2026-05-27.
- `devops-backend` runs from `/opt/bytelyst/learning_ai_devops_tools/dashboard/docker-compose.yml`.
+- `devops-backend` and `devops-web` now run from `/opt/bytelyst/learning_ai_devops_tools/dashboard/docker-compose.yml`.
 - `devops-web` runs from `/opt/bytelyst/bytelyst-devops-tools/dashboard/docker-compose.yml`, an older path. Align this before changing devops dashboard port bindings.
 - `gitea-npm-registry` has no Compose labels in Docker inspect output. Find its systemd/compose owner before changing `3300`.
 - `admin.bytelyst.com` points at `admin-web:3001`, but no `admin-web` container was present in `docker ps` during this inventory.
--- a/docs/vm-security-blind-spots-roadmap.md
+++ b/docs/vm-security-blind-spots-roadmap.md
@ -184,6 +184,7 @@ Effective `sshd -T` settings showed:
  - [x] Internal emulator/mail/observability ports `1025`, `8025`, `10000`, `1234`, `8081`, and `3100` are loopback-bound.
  - [x] Common-platform direct app/API bypasses are loopback-bound or removed from host publishing.
  - [x] Notes, Clock, and InvtTrdg direct app/API bypasses are loopback-bound.
  - [x] DevOps dashboard/API direct private-admin bypasses are loopback-bound.
 - [ ] Add a `DOCKER-USER` chain policy to drop unsolicited traffic to non-approved published ports before Docker's accept rules.
 - [ ] Keep only `80/443` and intentionally public SSH exposed at the provider/firewall layer.
 - [ ] Add a recurring check that compares `ss -ltn` and Docker published ports against the approved inventory.
@ -395,6 +396,7 @@ Effective `sshd -T` settings showed:
  - [x] Loopback-bound internal emulator/mail/observability ports `1025`, `8025`, `10000`, `1234`, `8081`, and `3100`.
  - [x] Closed/loopback-bound common-platform direct app/API bypasses.
  - [x] Loopback-bound Notes, Clock, and InvtTrdg direct app/API bypasses.
  - [x] Loopback-bound DevOps dashboard/API direct private-admin bypasses.
 - [ ] Add `DOCKER-USER` default-deny rules for non-approved ports.
 - [ ] Harden SSH root/password access after key-based access is verified.
 - [ ] Put `ollama.bytelyst.com`, admin dashboards, and dev tooling behind private/auth-gated access unless explicitly approved as public.
@ -625,6 +627,27 @@ Minimum post-checks for Phase 1:
 - Docker wildcard publishes still to fix: Gitea direct port `3300`, DevOps dashboard/API `3049` and `4004`.
 - Host process still to fix: Ollama `11434`.
 ### 2026-05-27 — Phase 1 DevOps private-admin bypasses
 **Changed:**
 - Updated `/opt/bytelyst/learning_ai_devops_tools/dashboard/docker-compose.yml` so `devops-web` and `devops-backend` bind host ports only on `127.0.0.1`.
 - Recreated `devops-backend` and `devops-web` without rebuilding images.
 **Verified:**
 - `docker compose config --quiet` passed in the DevOps dashboard directory.
 - `devops-web` now publishes `127.0.0.1:3049->3000`.
 - `devops-backend` now publishes `127.0.0.1:4004->4004` and is healthy.
 - Local smoke checks returned HTTP `200` for `http://127.0.0.1:3049` and `http://127.0.0.1:4004/health`.
 - `docker ps --format ... | grep 0.0.0.0` now shows only Caddy `80/443` and Gitea `3300` as Docker wildcard publishes.
 **Remaining wildcard direct exposure after this checkpoint:**
 - Expected public ingress: `22`, `80`, `443`.
 - Docker wildcard publish still to fix: Gitea direct port `3300`.
 - Host process still to fix: Ollama `11434`.
 ## Do Not Start With
 - Rootless Docker migration.