Mirror Komodo IP-allowlist labels and document de-publicization
Codex applied the ipallowlist middleware (Tailnet 100.64.0.0/10 + LAN 192.168.178.0/24) to the Komodo router live in the inline-managed self-stack; public now returns 403. Mirror the labels in ops/komodo/docker-compose.yml for parity (not auto-deployed), record the decision in docs/DECISIONS.md, and update docs/AUTH_MATRIX.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -74,7 +74,14 @@ services:
|
||||
- traefik.http.routers.komodo.tls=true
|
||||
- traefik.http.routers.komodo.tls.certresolver=le
|
||||
- traefik.http.services.komodo.loadbalancer.server.port=9120
|
||||
|
||||
# Audit 2026-06-23 (P1): Komodo war public mit 200 erreichbar + RW-Docker-Socket-Kette.
|
||||
# IP-Allowlist begrenzt den GANZEN Router auf Tailnet + LAN (public -> 403). KEINE ForwardAuth
|
||||
# (Webhooks/Periphery laufen intern ueber komodo-core:9120, nicht ueber Traefik).
|
||||
# ACHTUNG: Self-Stack ist inline in Komodo verwaltet -> diese Labels muessen in der Komodo-UI
|
||||
# am Inline-Compose gesetzt werden; diese Datei ist nur Spiegel.
|
||||
- traefik.http.routers.komodo.middlewares=komodo-allowlist@docker
|
||||
- traefik.http.middlewares.komodo-allowlist.ipallowlist.sourcerange=100.64.0.0/10,192.168.178.0/24
|
||||
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
|
||||
|
||||
Reference in New Issue
Block a user