fix: [#246] remove Prometheus port exposure for security

josecelano · josecelano · commit 8323def0632d · 2025-12-19T17:22:52.000Z
**Security Issue**: Prometheus port 9090 was exposed to external network due to
Docker bypassing UFW firewall rules when using 0.0.0.0:9090:9090 binding.

**Root Cause**: Docker manipulates iptables directly, taking precedence over UFW
rules. Even with UFW default policy 'deny incoming', Docker port bindings bypass
this protection.

**Solution**: Remove port mapping entirely for Prometheus service. Grafana can
still access Prometheus via Docker internal network (http://prometheus:9090).

**Changes**:
- Remove 'ports: - "9090:9090"' from Prometheus service in docker-compose.yml.tera
- Add comment explaining Prometheus is internal-only
- Update test to verify port is NOT exposed (security expectation)
- Grafana continues to work via Docker network communication

**Security Impact**:
- Before: Prometheus UI accessible at http://&lt;vm-ip&gt;:9090 (exposed)
- After: Prometheus UI NOT accessible externally (internal-only)
- Grafana access: Unchanged (uses Docker network)

**Verification**:
- All 1555 unit tests passing
- UFW firewall correctly denies incoming by default
- Only SSH, Tracker, and Grafana ports should be accessible

This issue existed since Prometheus slice implementation but was not detected
until Grafana integration testing revealed the exposure.
diff --git a/src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs b/src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs
@@ -385,10 +385,10 @@ mod tests {
             "Should set container name"
         );
 
-        // Verify port mapping
+        // Verify port is NOT exposed (internal service only)
         assert!(
-            rendered_content.contains("9090:9090"),
-            "Should expose Prometheus port 9090"
+            !rendered_content.contains("ports:") || !rendered_content.contains("9090:9090"),
+            "Prometheus port 9090 should NOT be exposed to host (internal service only, accessed via Docker network)"
         );
 
         // Verify volume mount
diff --git a/templates/docker-compose/docker-compose.yml.tera b/templates/docker-compose/docker-compose.yml.tera
@@ -65,8 +65,9 @@ services:
     restart: unless-stopped
     networks:
       - backend_network
-    ports:
-      - "9090:9090"
+    # Port 9090 NOT exposed to host - internal service only
+    # Grafana accesses Prometheus via Docker network: http://prometheus:9090
+    # For debugging, use: docker exec -it prometheus wget -qO- http://localhost:9090/metrics
     volumes:
       - ./storage/prometheus/etc:/etc/prometheus:Z
     logging:
