Expose port 8001 on 127.0.0.1 only, explain why in docs

DOCKERHUB.en.md

@@ -19,7 +19,14 @@ Ollama does not need to run on the same host — `OLLAMA_URL` can point to any r
 | Port | Service |
 |------|---------|
 | `8000` | Proxy endpoint (OpenAI API) |
-| `8001` | Admin API + web interface (do not expose) |
+| `8001` | Admin API + web interface |
+
+Port 8001 must be exposed because the container serves the admin interface directly on this port. To restrict access to the local machine, bind it to `127.0.0.1` — this makes the port reachable only from the host, not from the network:
+
+```
+ports:
+  - "127.0.0.1:8001:8001"
+```
 
 ## Environment Variables
 
@@ -46,6 +53,7 @@ services:
     restart: unless-stopped
     ports:
       - "8000:8000"
+      - "127.0.0.1:8001:8001"
     environment:
       ADMIN_PASSWORD: changeme
       OLLAMA_URL: http://host.docker.internal:11434  # or http://<ip>:11434
@@ -71,6 +79,7 @@ services:
     restart: unless-stopped
     ports:
       - "8000:8000"
+      - "127.0.0.1:8001:8001"
     environment:
       ADMIN_PASSWORD: changeme
       OLLAMA_URL: http://host.docker.internal:11434  # or http://<ip>:11434
@@ -115,6 +124,7 @@ services:
     restart: unless-stopped
     ports:
       - "8000:8000"
+      - "127.0.0.1:8001:8001"
     environment:
       ADMIN_PASSWORD: changeme
       OLLAMA_URL: http://ollama:11434
@@ -147,6 +157,7 @@ services:
     restart: unless-stopped
     ports:
       - "8000:8000"
+      - "127.0.0.1:8001:8001"
     environment:
       ADMIN_PASSWORD: changeme
       OLLAMA_URL: http://ollama:11434

DOCKERHUB.md

@@ -19,7 +19,14 @@ Ollama muss dabei nicht auf demselben Host laufen — `OLLAMA_URL` kann auf jede
 | Port | Dienst |
 |------|--------|
 | `8000` | Proxy-Endpunkt (OpenAI-API) |
-| `8001` | Admin-API + Web-Oberfläche (nicht exponieren) |
+| `8001` | Admin-API + Web-Oberfläche |
+
+Port 8001 muss exposed werden, da der Container die Admin-Oberfläche selbst auf diesem Port ausliefert. Um den Zugriff auf den lokalen Rechner zu beschränken, die Portbindung auf `127.0.0.1` setzen — so ist der Port nur vom Host erreichbar, nicht aus dem Netzwerk:
+
+```
+ports:
+  - "127.0.0.1:8001:8001"
+```
 
 ## Umgebungsvariablen
 
@@ -46,6 +53,7 @@ services:
     restart: unless-stopped
     ports:
       - "8000:8000"
+      - "127.0.0.1:8001:8001"
     environment:
       ADMIN_PASSWORD: changeme
       OLLAMA_URL: http://host.docker.internal:11434  # oder http://<ip>:11434
@@ -71,6 +79,7 @@ services:
     restart: unless-stopped
     ports:
       - "8000:8000"
+      - "127.0.0.1:8001:8001"
     environment:
       ADMIN_PASSWORD: changeme
       OLLAMA_URL: http://host.docker.internal:11434  # oder http://<ip>:11434
@@ -115,6 +124,7 @@ services:
     restart: unless-stopped
     ports:
       - "8000:8000"
+      - "127.0.0.1:8001:8001"
     environment:
       ADMIN_PASSWORD: changeme
       OLLAMA_URL: http://ollama:11434
@@ -147,6 +157,7 @@ services:
     restart: unless-stopped
     ports:
       - "8000:8000"
+      - "127.0.0.1:8001:8001"
     environment:
       ADMIN_PASSWORD: changeme
       OLLAMA_URL: http://ollama:11434

docker-compose.yml

@@ -5,6 +5,7 @@ services:
     env_file: .env
     ports:
       - "${PROXY_PORT:-8000}:${PROXY_PORT:-8000}"
+      - "127.0.0.1:8001:8001"
     volumes:
       - ./backend/test.db:/app/backend/test.db
       - ./backend/logs:/app/backend/logs