From 5b97ed0ef792f9ac8f0ac893ee3977918d9dbf6c Mon Sep 17 00:00:00 2001 From: Oliver Hofmann Date: Wed, 29 Apr 2026 09:52:13 +0200 Subject: [PATCH] Expose port 8001 on 127.0.0.1 only, explain why in docs --- DOCKERHUB.en.md | 13 ++++++++++++- DOCKERHUB.md | 13 ++++++++++++- docker-compose.yml | 1 + 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/DOCKERHUB.en.md b/DOCKERHUB.en.md index 8d7540b..8bd7448 100644 --- a/DOCKERHUB.en.md +++ b/DOCKERHUB.en.md @@ -19,7 +19,14 @@ Ollama does not need to run on the same host — `OLLAMA_URL` can point to any r | Port | Service | |------|---------| | `8000` | Proxy endpoint (OpenAI API) | -| `8001` | Admin API + web interface (do not expose) | +| `8001` | Admin API + web interface | + +Port 8001 must be exposed because the container serves the admin interface directly on this port. To restrict access to the local machine, bind it to `127.0.0.1` — this makes the port reachable only from the host, not from the network: + +``` +ports: + - "127.0.0.1:8001:8001" +``` ## Environment Variables @@ -46,6 +53,7 @@ services: restart: unless-stopped ports: - "8000:8000" + - "127.0.0.1:8001:8001" environment: ADMIN_PASSWORD: changeme OLLAMA_URL: http://host.docker.internal:11434 # or http://:11434 @@ -71,6 +79,7 @@ services: restart: unless-stopped ports: - "8000:8000" + - "127.0.0.1:8001:8001" environment: ADMIN_PASSWORD: changeme OLLAMA_URL: http://host.docker.internal:11434 # or http://:11434 @@ -115,6 +124,7 @@ services: restart: unless-stopped ports: - "8000:8000" + - "127.0.0.1:8001:8001" environment: ADMIN_PASSWORD: changeme OLLAMA_URL: http://ollama:11434 @@ -147,6 +157,7 @@ services: restart: unless-stopped ports: - "8000:8000" + - "127.0.0.1:8001:8001" environment: ADMIN_PASSWORD: changeme OLLAMA_URL: http://ollama:11434 diff --git a/DOCKERHUB.md b/DOCKERHUB.md index 58333f3..cdf35c7 100644 --- a/DOCKERHUB.md +++ b/DOCKERHUB.md @@ -19,7 +19,14 @@ Ollama muss dabei nicht auf demselben Host laufen — `OLLAMA_URL` kann auf jede | Port | Dienst | |------|--------| | `8000` | Proxy-Endpunkt (OpenAI-API) | -| `8001` | Admin-API + Web-Oberfläche (nicht exponieren) | +| `8001` | Admin-API + Web-Oberfläche | + +Port 8001 muss exposed werden, da der Container die Admin-Oberfläche selbst auf diesem Port ausliefert. Um den Zugriff auf den lokalen Rechner zu beschränken, die Portbindung auf `127.0.0.1` setzen — so ist der Port nur vom Host erreichbar, nicht aus dem Netzwerk: + +``` +ports: + - "127.0.0.1:8001:8001" +``` ## Umgebungsvariablen @@ -46,6 +53,7 @@ services: restart: unless-stopped ports: - "8000:8000" + - "127.0.0.1:8001:8001" environment: ADMIN_PASSWORD: changeme OLLAMA_URL: http://host.docker.internal:11434 # oder http://:11434 @@ -71,6 +79,7 @@ services: restart: unless-stopped ports: - "8000:8000" + - "127.0.0.1:8001:8001" environment: ADMIN_PASSWORD: changeme OLLAMA_URL: http://host.docker.internal:11434 # oder http://:11434 @@ -115,6 +124,7 @@ services: restart: unless-stopped ports: - "8000:8000" + - "127.0.0.1:8001:8001" environment: ADMIN_PASSWORD: changeme OLLAMA_URL: http://ollama:11434 @@ -147,6 +157,7 @@ services: restart: unless-stopped ports: - "8000:8000" + - "127.0.0.1:8001:8001" environment: ADMIN_PASSWORD: changeme OLLAMA_URL: http://ollama:11434 diff --git a/docker-compose.yml b/docker-compose.yml index b328d62..17eba9a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,6 +5,7 @@ services: env_file: .env ports: - "${PROXY_PORT:-8000}:${PROXY_PORT:-8000}" + - "127.0.0.1:8001:8001" volumes: - ./backend/test.db:/app/backend/test.db - ./backend/logs:/app/backend/logs