Skip to content

Harden Docker compose gateway exposure#186

Merged
bglusman merged 3 commits into
mainfrom
codex/propose-fix-for-docker-compose-vulnerability
May 12, 2026
Merged

Harden Docker compose gateway exposure#186
bglusman merged 3 commits into
mainfrom
codex/propose-fix-for-docker-compose-vulnerability

Conversation

@bglusman

@bglusman bglusman commented May 12, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Prevent the Docker packaging example from exposing unauthenticated Calciforge gateways and the security-proxy on all host interfaces by default, which could allow unauthenticated remote use of model backends and forward-proxy surfaces.
  • Provide a safe, opinionated example that defaults to loopback publishing and forces an operator to opt into LAN exposure while provisioning a client-facing gateway API key.

Description

  • Default published ports to loopback by adding CALCIFORGE_HOST_BIND and using ${CALCIFORGE_HOST_BIND:-127.0.0.1} in packaging/docker/docker-compose.yml for calciforge, security-proxy, and clashd port mappings.
  • Require a client-facing gateway key in the sample config by adding api_key_file = "/var/lib/calciforge/gateway-api-key" to packaging/docker/config.example.toml so the example gateway does not run unauthenticated.
  • Add key provisioning and documentation updates to packaging/docker/README.md and set CALCIFORGE_HOST_BIND=127.0.0.1 in packaging/docker/calciforge.env.example, including instructions to create data/gateway-api-key and guidance for intentional LAN exposure.
  • Add packaging guardrails to scripts/check-packaging.sh to assert the Compose sample defaults to loopback bindings, requires the api_key_file entry, and provisions the sample gateway key in the README.

Testing

  • Ran bash scripts/check-packaging.sh, which passed (packaging checks exercised the new assertions).
  • Ran cargo fmt --all -- --check and bash -n scripts/check-packaging.sh, both of which passed locally.
  • Ran git diff --check which reported no check failures and gitleaks was skipped as it is not installed in the environment.
  • Attempted cargo test -p calciforge test_channel_docs, which failed due to an unrelated existing -D dead-code error in crates/calciforge/src/context.rs and not because of these packaging changes.

Codex Task

Copilot AI review requested due to automatic review settings May 12, 2026 12:53
@qodo-code-review

qodo-code-review Bot commented May 12, 2026

Copy link
Copy Markdown 
ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one.

Copilot AI reviewed May 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the Docker Compose packaging example to avoid exposing unauthenticated Calciforge gateway and sidecar ports on all host interfaces by default, and to require a client-facing gateway API key in the example config.

Changes:

  • Default Compose published ports to loopback via ${CALCIFORGE_HOST_BIND:-127.0.0.1} for calciforge, security-proxy, and clashd.
  • Require a gateway bearer token in the Docker example config via proxy.api_key_file.
  • Add docs + packaging guardrails for key provisioning and loopback-first behavior.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
scripts/check-packaging.sh Adds packaging assertions for loopback-default port publishing, required gateway API key file, and README key provisioning.
packaging/docker/README.md Documents loopback-default bindings and adds steps to generate and chmod the gateway API key file.
packaging/docker/docker-compose.yml Changes published port mappings to default-bind to loopback unless overridden by CALCIFORGE_HOST_BIND.
packaging/docker/config.example.toml Adds proxy.api_key_file so the example gateway runs authenticated.
packaging/docker/calciforge.env.example Introduces CALCIFORGE_HOST_BIND=127.0.0.1 and guidance for intentional LAN exposure.

Comment thread scripts/check-packaging.sh Outdated
Comment on lines +61 to +64
grep -q 'CALCIFORGE_HOST_BIND:-127.0.0.1' "$ROOT/packaging/docker/docker-compose.yml" || {
echo "Docker Compose published ports must default to loopback host binding" >&2
exit 1
}
Copilot AI review requested due to automatic review settings May 12, 2026 13:35
Copilot AI reviewed May 12, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@bglusman bglusman merged commit 9c8cbea into main May 12, 2026
26 checks passed
@bglusman bglusman deleted the codex/propose-fix-for-docker-compose-vulnerability branch May 12, 2026 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bglusman