Explicitly listen only on localhost / 127.0.0.1 when launching the server (#880)

greschd · web-flow · commit 9fc6f14c4949 · 2025-08-07T13:33:28.000+02:00
- In `direct` launch mode, listen only on `localhost`
- In `docker_compose` launch mode, limit connections to coming from `127.0.0.1` by limiting the source IP in the `ports` mapping
diff --git a/docker-compose/docker-compose-benchmark.yaml b/docker-compose/docker-compose-benchmark.yaml
@@ -14,7 +14,7 @@ services:
     environment:
       - ANSYSLMD_LICENSE_FILE=${ANSYSLMD_LICENSE_FILE}
     ports:
-      - "${PORT_ACP:-50555}:50051"
+      - "127.0.0.1:${PORT_ACP:-50555}:50051"
     working_dir: /home/container/workdir
     volumes:
       - "acp_data:/home/container/workdir/"
@@ -25,7 +25,7 @@ services:
     restart: unless-stopped
     image: ${IMAGE_NAME_FILETRANSFER:-ghcr.io/ansys/tools-filetransfer:latest}
     ports:
-      - "${PORT_FILETRANSFER:-50556}:50000"
+      - "127.0.0.1:${PORT_FILETRANSFER:-50556}:50000"
     working_dir: /home/container/workdir
     volumes:
       - "acp_data:/home/container/workdir/"
diff --git a/docker-compose/docker-compose-extras.yaml b/docker-compose/docker-compose-extras.yaml
@@ -8,15 +8,15 @@ services:
     command: ${MAPDL_CMD:--smp -np 1}
     shm_size: '4gb'
     ports:
-    - "${PYMAPDL_PORT:-50557}:50052"
+    - "127.0.0.1:${PYMAPDL_PORT:-50557}:50052"
     environment:
       - ANSYSLMD_LICENSE_FILE=${ANSYSLMD_LICENSE_FILE}
       - ANSYS_LOCK="OFF"
   pydpf-composites-server:
     restart: unless-stopped
     image: ${IMAGE_NAME_DPF_COMPOSITES:-ghcr.io/ansys/pydpf-composites:latest}
     ports:
-    - "${PYDPF_COMPOSITES_DOCKER_CONTAINER_PORT:-50558}:50052"
+    - "127.0.0.1:${PYDPF_COMPOSITES_DOCKER_CONTAINER_PORT:-50558}:50052"
     environment:
       - ANSYSLMD_LICENSE_FILE=${ANSYSLMD_LICENSE_FILE}
       - ANSYS_DPF_ACCEPT_LA=${ANSYS_DPF_ACCEPT_LA}
diff --git a/src/ansys/acp/core/_server/direct.py b/src/ansys/acp/core/_server/direct.py
@@ -98,7 +98,7 @@ def start(self) -> None:
         self._process = subprocess.Popen(  # nosec B603: documented in 'security_considerations.rst'
             [
                 self._config.binary_path,
-                f"--server-address=0.0.0.0:{port}",
+                f"--server-address=localhost:{port}",
             ],
             stdout=self._stdout,
             stderr=self._stderr,
diff --git a/src/ansys/acp/core/_server/docker-compose.yaml b/src/ansys/acp/core/_server/docker-compose.yaml
@@ -5,7 +5,7 @@ services:
     environment:
       - ANSYSLMD_LICENSE_FILE=${ANSYSLMD_LICENSE_FILE}
     ports:
-      - "${PORT_ACP:-50555}:50051"
+      - "127.0.0.1:${PORT_ACP:-50555}:50051"
     working_dir: /home/container/workdir
     volumes:
       - "acp_data:/home/container/workdir/"
@@ -14,7 +14,7 @@ services:
     restart: unless-stopped
     image: ${IMAGE_NAME_FILETRANSFER:-ghcr.io/ansys/tools-filetransfer:latest}
     ports:
-      - "${PORT_FILETRANSFER:-50556}:50000"
+      - "127.0.0.1:${PORT_FILETRANSFER:-50556}:50000"
     working_dir: /home/container/workdir
     volumes:
       - "acp_data:/home/container/workdir/"

Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ def start(self) -> None:`
`98`	`98`	`self._process = subprocess.Popen( # nosec B603: documented in 'security_considerations.rst'`
`99`	`99`	`[`
`100`	`100`	`self._config.binary_path,`
`101`		`- f"--server-address=0.0.0.0:{port}",`
	`101`	`+ f"--server-address=localhost:{port}",`
`102`	`102`	`],`
`103`	`103`	`stdout=self._stdout,`
`104`	`104`	`stderr=self._stderr,`