[Feature]: DOZZLE_ENABLE_SHELL=true and DOZZLE_ENABLE_ACTIONS=true exposed on unauthenticated port; potential host compromise

[traxeon]

Feature Category

Security

Problem Statement

Anyone who can reach port 9999 on the host gets a web-based terminal into any running container on the system, with no login required.

Proposed Solution

Remove DOZZLE_ENABLE_SHELL=true and DOZZLE_ENABLE_ACTIONS=true from the default configuration. If shell and action access are desired, document them as explicit opt-in settings the user must consciously enable after placing Dozzle behind authentication.

Alternative Solutions

• Make Dozzle opt-in entirely and remove it from the default stack ([Bug]: Dozzle deployed unconditionally with no conflict detection #277 ), leaving users to integrate their own Dozzle instance with whatever authentication they already have in place.
• Require Dozzle to sit behind an authenticated reverse proxy before enabling shell or action features, and document this as a hard requirement with example configuration. The installer should detect whether a reverse proxy with authentication is in place and refuse to enable these features if one is not configured.

Use Case

No response

Who would benefit from this feature?

All Users

How important is this feature to you?

High - Would significantly improve my experience

Implementation Ideas (Optional)

• Add an installer prompt asking whether the user has an authenticated reverse proxy in front of the stack, and conditionally set DOZZLE_ENABLE_SHELL and DOZZLE_ENABLE_ACTIONS based on the answer
• Add a NOMAD_ENABLE_DOZZLE_SHELL environment variable to the installer that gates the feature, forcing a conscious opt-in

Examples or References

No response

Would you be willing to help implement this?

Maybe - with guidance

Additional Context

No response

Pre-submission Checklist

• I have searched for existing feature requests that might be similar
• This feature aligns with N.O.M.A.D.'s mission of offline-first knowledge and education
• I understand that feature requests are not guaranteed to be implemented

[traxeon]

I noticed that #211 covers this but created this as a unique item so it can be individually addressed. Combining multiple issues in one record makes it hard to address them independently. This is just for Dozzle env options. Thank you for all the hard work. Great project.

[traxeon]

I also included Dozzle Actions on this which was not in the first one.

[chriscrosstalk]

Good catch — shell access with the Docker socket mounted is a real escalation path. Fix is up in PR #287: disables DOZZLE_ENABLE_SHELL while keeping log viewing and container actions enabled.

[traxeon]

Should I refile the request for DOZZLE_ENABLE_ACTIONS=true ?

[chriscrosstalk]

No need to refile — we've updated PR #287 to disable both DOZZLE_ENABLE_SHELL and DOZZLE_ENABLE_ACTIONS. Since Dozzle runs on an unauthenticated port, having container stop/restart buttons exposed to anyone on the LAN isn't great. NOMAD handles container management through its own admin UI, so Dozzle just needs to do what it does best — log viewing.

[cosmistack-bot]

🎉 This issue has been resolved in version 1.30.0-rc.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

[cosmistack-bot]

🎉 This issue has been resolved in version 1.30.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀