62.171.177.227)| Port | Service | Binding | Notes |
|---|---|---|---|
| 22 | SSH | 0.0.0.0 | Key-based auth only |
| 80 | Traefik HTTP | 0.0.0.0 | Redirects to HTTPS |
| 443 | Traefik HTTPS | 0.0.0.0 | TLS termination, HTTP/2 + HTTP/3 |
| 3000 | Portal dev (systemd dev-portal) |
0.0.0.0 | Routed via Traefik → dev-portal.sayhellocollege.com (basic auth) |
| 3001 | Evidence slot A (evidence-a.service) |
0.0.0.0 | Blue-green slot — prod or dev depending on /srv/evidence/active |
| 3002 | Evidence slot B (evidence-b.service) |
0.0.0.0 | Blue-green slot — prod or dev depending on /srv/evidence/active |
| 5432 | PostgreSQL 14 | 127.0.0.1 | Host-level, localhost only ✓ |
| 6001-6002 | Coolify realtime | 0.0.0.0 | WebSocket for Coolify UI |
| 6379 | Redis | 127.0.0.1 | Host-level, localhost only ✓ |
| 8000 | Coolify dashboard | 0.0.0.0 | Maps to container 8080 |
| 8080 | Traefik dashboard | 0.0.0.0 | Exposed — needs auth or firewall |
| 8787 | Node.js dev | 0.0.0.0 | Exposed — should be localhost only |
5.78.149.183)| Port | Service | Binding | Notes |
|---|---|---|---|
| 22 | SSH | 0.0.0.0 | Key-based auth only |
| 80 | Traefik HTTP | 0.0.0.0 | Redirects to HTTPS |
| 443 | Traefik HTTPS | 0.0.0.0 | TLS termination, HTTP/2 + HTTP/3 |
| 3000 | Next.js dev (PM2) | 0.0.0.0 | Exposed — should be localhost only |
| 3100 | MCP server (PM2) | 0.0.0.0 | Duplicate of Docker container |
| 6001-6002 | Coolify realtime | 0.0.0.0 | WebSocket for Coolify UI |
| 6333-6334 | Qdrant | 0.0.0.0 | Directly exposed — security risk |
| 8000 | Coolify dashboard | 0.0.0.0 | Maps to container 8080 |
| 8080 | Traefik dashboard | 0.0.0.0 | Exposed — needs auth or firewall |
| 9000 | Node.js dev | 0.0.0.0 | Exposed — should be localhost only |
Both servers: UFW INACTIVE. No OS-level firewall rules.
# On both servers:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp # SSH
sudo ufw allow 80/tcp # HTTP (Traefik)
sudo ufw allow 443/tcp # HTTPS (Traefik)
sudo ufw allow 443/udp # HTTP/3 (QUIC)
sudo ufw enable
# hc-central only:
sudo ufw allow 8000/tcp # Coolify dashboard (or restrict to your IP)
# hc-vps only:
sudo ufw allow 8000/tcp # Coolify dashboard (or restrict to your IP)
Both servers run coolify-proxy (Traefik v3.6.12):
exposedbydefault=false)/traefik/dynamic/*.yaml| File | Routes To |
|---|---|
coolify-central.yaml |
coolify-central.sayhellocollege.com → Coolify UI |
evidence.yaml |
evidence.sayhellocollege.com → active Evidence slot (port 3001 or 3002) |
dev-evidence.sayhellocollege.com → standby Evidence slot |
|
dev-environments.yaml |
dev-portal.sayhellocollege.com → port 3000 |
termix.sayhellocollege.com → termix:8080 |
|
wikijs.yaml |
docs.sayhellocollege.com → wikijs:3000 (Docker labels) |
default_redirect_503.yaml |
Catchall → 503 (priority -1000) |
Routes managed via Docker labels (Coolify sets these automatically).