Security & Firewall
Two-layer network protection so only your API server can reach the databases.
Security Model
Internet / random IPs ──X──► DB ports (blocked) API server 72.60.223.44 ──✓──► DB ports (allowed) Admin ──✓──► SSH port 22 Anyone ──✓──► HTTP/HTTPS 80/443 (wiki + admin)
Layer 1 — UFW Firewall
| Rule | Who | Port |
|---|---|---|
| SSH | Any IP | 22 |
| PostgreSQL | 72.60.223.44 | 5432 |
| MongoDB | 72.60.223.44 | 27017 |
| Redis | 72.60.223.44 | 6379 |
| Qdrant | 72.60.223.44 | 6333, 6334 |
| Neo4j | 72.60.223.44 | 7687 |
| HTTP/HTTPS | Any IP | 80, 443 |
Layer 2 — DOCKER-USER Chain
Docker can bypass UFW. The DOCKER-USER iptables chain enforces the same IP restriction:
- Established connection → allow
- From
72.60.223.44→ allow - Everything else → drop
Application Security Rules
- Never put DB credentials in frontend or mobile code
- Never commit
.envto git - Use app-specific users — not
postgres/admin/neo4jroot - Use parameterized queries (SQL, Cypher) and driver methods (Mongo)
- Do not expose raw DB errors to API clients
- Use connection pooling on all databases
- Enable TLS if traffic crosses untrusted networks
Per-App Isolation
| Database | Isolation method |
|---|---|
| PostgreSQL | Separate DB + user per app |
| MongoDB | Separate DB + user per app |
| Redis | ACL user scoped to myapp:* key prefix |
| Qdrant | Collection naming: myapp_documents |
| Neo4j | Label prefix: MyApp_User + dedicated user |
What Is NOT Exposed
- Neo4j browser UI (port 7474)
- DB ports to the public internet
- Root/admin credentials to app developers