Project · gcp-mcp-standalone · ADRs

0006 — Broker binds 127.0.0.1 only

type adrstatus activesecurity · docker · network

Status

Accepted (2026-07-02)

Context

Docker Compose originally published the broker as 8002:8002, i.e. 0.0.0.0 — listening on the VM's public IP and on the tailnet. The only thing preventing direct internet access to the broker (admin API included) was the single deny-all firewall rule: one control, and one misconfiguration away from full exposure that would bypass Cloudflare entirely.

Decision

Publish as 127.0.0.1:8002:8002. cloudflared — the sole intended client — connects via localhost, so the tunnel is unaffected.

Consequences

  • The firewall rule is now defence-in-depth rather than the single control; even with the rule gone, :8002 is unreachable from outside the box.
  • The broker is also invisible to the tailnet: admin API access from the Mac becomes ssh -L 8002:localhost:8002 ubuntu@gcp-mcp-broker.
  • Change lives in the broker fork's docker-compose.yml (branch connectors), so it applies wherever the fork is deployed.
Compiled from wiki/projects/gcp-mcp-standalone/adr/0006-localhost-only-broker-bind.md · git is the source of truth