From a6e37526a01495d3009f1ed05298f79712fcfdf5 Mon Sep 17 00:00:00 2001 From: Chris Sherwood Date: Fri, 13 Mar 2026 20:09:44 -0700 Subject: [PATCH] fix(security): remove MySQL and Redis port exposure to host MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MySQL (3306) and Redis (6379) were published to all host interfaces despite only being accessed by the admin container via Docker's internal network. Redis has no authentication, so anyone on the LAN could connect. Removes the port mappings — containers still communicate internally via Docker service names. Closes #279 Co-Authored-By: Claude Opus 4.6 --- install/management_compose.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/install/management_compose.yaml b/install/management_compose.yaml index 43b8bf7..3bf5060 100644 --- a/install/management_compose.yaml +++ b/install/management_compose.yaml @@ -57,8 +57,6 @@ services: image: mysql:8.0 container_name: nomad_mysql restart: unless-stopped - ports: - - "3306:3306" environment: - MYSQL_ROOT_PASSWORD=replaceme - MYSQL_DATABASE=nomad @@ -75,8 +73,6 @@ services: image: redis:7-alpine container_name: nomad_redis restart: unless-stopped - ports: - - "6379:6379" volumes: - /opt/project-nomad/redis:/data healthcheck: